From: Scott Mayhew <smayhew@redhat.com>
To: "Tyler W. Ross" <TWR@tylerwross.com>
Cc: Trond Myklebust <trondmy@kernel.org>,
Chuck Lever <chuck.lever@oracle.com>,
Anna Schumaker <anna@kernel.org>,
Salvatore Bonaccorso <carnil@debian.org>,
"1120598@bugs.debian.org" <1120598@bugs.debian.org>,
Jeff Layton <jlayton@kernel.org>, NeilBrown <neil@brown.name>,
Steve Dickson <steved@redhat.com>,
Olga Kornievskaia <okorniev@redhat.com>,
Dai Ngo <Dai.Ngo@oracle.com>, Tom Talpey <tom@talpey.com>,
linux-nfs@vger.kernel.org, linux-kernel@vger.kernel.org
Subject: Re: ls input/output error ("NFS: readdir(/) returns -5") on krb5 NFSv4 client using SHA2
Date: Mon, 17 Nov 2025 18:05:19 -0500 [thread overview]
Message-ID: <aRuqLwKjTOxWbK6t@aion> (raw)
In-Reply-To: <ji2_uZ3RNtBdATHSokoxSrIXMAi4zh2jZXEd0WownMtXo_WNIseAeeDZoBFjT54nCE1Iw0PcGgfORC5p39CP9KGqjY6T2wqeBRGonjIjfXM=@tylerwross.com>
On Mon, 17 Nov 2025, Tyler W. Ross wrote:
> Weird behavior I just discovered:
>
> Explicitly setting allowed-enctypes in the gssd section of /etc/nfs.conf
> to exclude aes256-cts-hmac-sha1-96 makes both SHA2 ciphers work as
> expected (assuming each is allowed).
>
> If allowed-enctypes is unset (letting gssd interrogate the kernel for
> supported enctypes) or includes aes256-cts-hmac-sha1-96, then the XDR
> overflow occurs.
>
> Non-working configurations (first is the commented-out default in nfs.conf):
> allowed-enctypes=aes256-cts-hmac-sha384-192,aes128-cts-hmac-sha256-128,camellia256-cts-cmac,camellia128-cts-cmac,aes256-cts-hmac-sha1-96,aes128-cts-hmac-sha1-96
> allowed-enctypes=aes256-cts-hmac-sha384-192,aes256-cts-hmac-sha1-96
> allowed-enctypes=aes128-cts-hmac-sha256-128,aes256-cts-hmac-sha1-96
> allowed-enctypes=aes256-cts-hmac-sha384-192,aes128-cts-hmac-sha256-128,aes256-cts-hmac-sha1-96
>
> Working configurations (first is default sans aes256-cts-hmac-sha1-96):
> allowed-enctypes=aes256-cts-hmac-sha384-192,aes128-cts-hmac-sha256-128,camellia256-cts-cmac,camellia128-cts-cmac,aes128-cts-hmac-sha1-96
> allowed-enctypes=aes256-cts-hmac-sha384-192,aes128-cts-hmac-sha256-128
> allowed-enctypes=aes256-cts-hmac-sha384-192,aes128-cts-hmac-sha1-96
> allowed-enctypes=aes128-cts-hmac-sha256-128,aes128-cts-hmac-sha1-96
>
That doesn't really make sense. You should only need to use the
allowed-enctypes setting if you're talking to an NFS server that doesn't
have support for the new encryption types.
It basically works like the "permitted_enctypes" option in krb5.conf,
except it only affects NFS rather than affecting your krb5 configuration
as a whole.
Can you go back and re-do the tracepoint capture, except this time
umount your NFS filessytems before starting the capture (i.e. perform
the mount command while trace-cmd is running). I'm curious what values
the rpcgss_update_slack tracepoint shows.
>
> Is this gssd mishandling some setup/initialization?
> Or is there a miscalculation happening somewhere further up?
>
>
> TWR
>
next prev parent reply other threads:[~2025-11-17 23:05 UTC|newest]
Thread overview: 31+ messages / expand[flat|nested] mbox.gz Atom feed top
[not found] <176298368872.955.14091113173156448257.reportbug@nfsclient-sid.ipa.twrlab.net>
2025-11-13 5:00 ` ls input/output error ("NFS: readdir(/) returns -5") on krb5 NFSv4 client using SHA2 Salvatore Bonaccorso
2025-11-13 14:30 ` Chuck Lever
2025-11-13 17:16 ` Tyler W. Ross
2025-11-13 17:47 ` Chuck Lever
2025-11-13 18:05 ` Tyler W. Ross
2025-11-13 18:12 ` Chuck Lever
2025-11-13 18:51 ` Tyler W. Ross
2025-11-13 18:57 ` Chuck Lever
2025-11-13 21:21 ` Salvatore Bonaccorso
2025-11-13 21:23 ` Chuck Lever
2025-11-13 22:20 ` Salvatore Bonaccorso
2025-11-13 22:30 ` Chuck Lever
2025-11-14 4:35 ` Tyler W. Ross
2025-11-14 5:09 ` Tyler W. Ross
2025-11-14 14:18 ` Chuck Lever
2025-11-16 0:38 ` Tyler W. Ross
2025-11-16 16:29 ` Chuck Lever
2025-11-16 18:21 ` Trond Myklebust
2025-11-17 5:19 ` Tyler W. Ross
2025-11-17 13:41 ` Chuck Lever
2025-11-17 18:38 ` Tyler W. Ross
2025-11-17 23:05 ` Scott Mayhew [this message]
2025-11-17 22:54 ` Scott Mayhew
2025-11-18 4:10 ` Tyler W. Ross
2025-11-18 17:52 ` Scott Mayhew
2025-11-18 23:43 ` Tyler W. Ross
2025-11-19 4:50 ` Salvatore Bonaccorso
2025-11-19 13:36 ` Scott Mayhew
2025-11-19 20:54 ` Simon Josefsson
2025-11-18 4:32 Tyler W. Ross
-- strict thread matches above, loose matches on Subject: below --
2025-11-19 17:19 Tyler W. Ross
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=aRuqLwKjTOxWbK6t@aion \
--to=smayhew@redhat.com \
--cc=1120598@bugs.debian.org \
--cc=Dai.Ngo@oracle.com \
--cc=TWR@tylerwross.com \
--cc=anna@kernel.org \
--cc=carnil@debian.org \
--cc=chuck.lever@oracle.com \
--cc=jlayton@kernel.org \
--cc=linux-kernel@vger.kernel.org \
--cc=linux-nfs@vger.kernel.org \
--cc=neil@brown.name \
--cc=okorniev@redhat.com \
--cc=steved@redhat.com \
--cc=tom@talpey.com \
--cc=trondmy@kernel.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.