From: Scott Mayhew <smayhew@redhat.com>
To: steved@redhat.com
Cc: =carnil@debian.org, linux-nfs@vger.kernel.org
Subject: [nfs-utils PATCH RFC 0/4] Rework the handling of encryption types in rpc.gssd
Date: Fri, 13 Feb 2026 17:40:08 -0500 [thread overview]
Message-ID: <20260213224012.2608126-1-smayhew@redhat.com> (raw)
These patches address the issue described in "nfs: ls input/output error
("NFS: readdir(/) returns -5") on krb5 NFSv4 client using SHA2"
(https://bugs.debian.org/1120598).
The core issue is that when the krb5 library does a TGS request, it
initially does so with referrals enabled, disregarding the enctypes list
supplied by the requesting application. It still checks the resulting
ticket to ensure that it's using one of the requested enctypes, but it
may not the highest priority enctype from our list. See
make_request_for_service(), step_referrals(), and wrong_enctype() in the
krb5 code.
The problem arises if it does this when setting up the machine
credential, but it doesn't do it when setting up a user's credential
(which can happen in the case of constrained-delegation via gssproxy).
That can lead to the machine credential and the user credentials using
different enctypes, leading to XDR decoding failures described in the
above bug.
These patches aim to address that issue by making sure that the list we
pass to limit_krb5_enctypes is in the same order as the default list
in the krb5 library.
Scott Mayhew (4):
gssd: remove the limit-to-legacy-enctypes option
gssd: add enctypes_list_to_string()
gssd: get the permitted enctypes from the krb5 library on startup
gssd: add a helper to determine the set of encryption types to pass to
limit_krb5_enctypes()
nfs.conf | 1 -
systemd/nfs.conf.man | 2 +-
utils/gssd/gssd.c | 16 +--
utils/gssd/gssd.man | 30 +---
utils/gssd/gssd_proc.c | 15 ++
utils/gssd/krb5_util.c | 311 +++++++++++++++++++++++++++++++++--------
utils/gssd/krb5_util.h | 5 +-
7 files changed, 284 insertions(+), 96 deletions(-)
--
2.52.0
next reply other threads:[~2026-02-13 22:40 UTC|newest]
Thread overview: 6+ messages / expand[flat|nested] mbox.gz Atom feed top
2026-02-13 22:40 Scott Mayhew [this message]
2026-02-13 22:40 ` [nfs-utils PATCH RFC 1/4] gssd: remove the limit-to-legacy-enctypes option Scott Mayhew
2026-02-13 22:40 ` [nfs-utils PATCH RFC 2/4] gssd: add enctypes_list_to_string() Scott Mayhew
2026-02-13 22:40 ` [nfs-utils PATCH RFC 3/4] gssd: get the permitted enctypes from the krb5 library on startup Scott Mayhew
2026-02-13 22:40 ` [nfs-utils PATCH RFC 4/4] gssd: add a helper to determine the set of encryption types to pass to limit_krb5_enctypes() Scott Mayhew
2026-02-28 17:14 ` [nfs-utils PATCH RFC 0/4] Rework the handling of encryption types in rpc.gssd Steve Dickson
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20260213224012.2608126-1-smayhew@redhat.com \
--to=smayhew@redhat.com \
--cc==carnil@debian.org \
--cc=linux-nfs@vger.kernel.org \
--cc=steved@redhat.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox