Bug#1120598: ls input/output error ("NFS: readdir(/) returns -5") on krb5 NFSv4 client using SHA2
- To: "Tyler W. Ross" <TWR@tylerwross.com>, Trond Myklebust <trondmy@kernel.org>
- Cc: Anna Schumaker <anna@kernel.org>, Salvatore Bonaccorso <carnil@debian.org>, "1120598@bugs.debian.org" <1120598@bugs.debian.org>, Jeff Layton <jlayton@kernel.org>, NeilBrown <neil@brown.name>, Scott Mayhew <smayhew@redhat.com>, Steve Dickson <steved@redhat.com>, Olga Kornievskaia <okorniev@redhat.com>, Dai Ngo <Dai.Ngo@oracle.com>, Tom Talpey <tom@talpey.com>, linux-nfs@vger.kernel.org, linux-kernel@vger.kernel.org
- Subject: Bug#1120598: ls input/output error ("NFS: readdir(/) returns -5") on krb5 NFSv4 client using SHA2
- From: Chuck Lever <chuck.lever@oracle.com>
- Date: Mon, 17 Nov 2025 08:41:03 -0500
- Message-id: <[🔎] e5112807-a427-4762-b7b9-ecaa95fa0482@oracle.com>
- Reply-to: Chuck Lever <chuck.lever@oracle.com>, 1120598@bugs.debian.org
- In-reply-to: <[🔎] ji2_uZ3RNtBdATHSokoxSrIXMAi4zh2jZXEd0WownMtXo_WNIseAeeDZoBFjT54nCE1Iw0PcGgfORC5p39CP9KGqjY6T2wqeBRGonjIjfXM=@tylerwross.com>
- References: <[🔎] 176298368872.955.14091113173156448257.reportbug@nfsclient-sid.ipa.twrlab.net> <[🔎] aRZZoNB5rsC8QUi4@eldamar.lan> <[🔎] de44bf50-0c87-4062-b974-0b879868c0f5@oracle.com> <[🔎] AVpI5XolCCA38sGzxlfk6azQI9oUAxafUVl9B7B1WgJEmGgSAQq5nvulQO6P_RQqjBp3adqasHFsodhAAxai0dcp5scRMJk0dLsGMQeSiew=@tylerwross.com> <[🔎] fVv3cF7Ulh3cKUP17C98gh_uOv9BcMlMpsIh1Nv5_0tdw-75PKiPJgIEP5o2jBVry7orwz7jeiGQenfCbuUxyj5JFstbx3RTFYr223qDmV0=@tylerwross.com> <[🔎] a6d1435b-f507-49eb-b80c-4322dc7e1157@oracle.com> <[🔎] Y79HV0VGpScPYqI_dDxeItkX2UZwSdReaUOpIeMeZXq2HLsHf5J_PTQqr7HrBYygICRsn-OB89QPrxPzjgv2smuzTThUPy_3fq_N1NprlUg=@tylerwross.com> <[🔎] 4a63ad3d-b53a-4eab-8ffb-dd206f52c20e@oracle.com> <902ff4995d8e75ad1cd2196bf7d8da42932fba35.camel@kernel.org> <[🔎] ji2_uZ3RNtBdATHSokoxSrIXMAi4zh2jZXEd0WownMtXo_WNIseAeeDZoBFjT54nCE1Iw0PcGgfORC5p39CP9KGqjY6T2wqeBRGonjIjfXM=@tylerwross.com> <[🔎] 176298368872.955.14091113173156448257.reportbug@nfsclient-sid.ipa.twrlab.net>
On 11/17/25 12:19 AM, Tyler W. Ross wrote:
> Weird behavior I just discovered:
>
> Explicitly setting allowed-enctypes in the gssd section of /etc/nfs.conf
> to exclude aes256-cts-hmac-sha1-96 makes both SHA2 ciphers work as
> expected (assuming each is allowed).
>
> If allowed-enctypes is unset (letting gssd interrogate the kernel for
> supported enctypes) or includes aes256-cts-hmac-sha1-96, then the XDR
> overflow occurs.
>
> Non-working configurations (first is the commented-out default in nfs.conf):
> allowed-enctypes=aes256-cts-hmac-sha384-192,aes128-cts-hmac-sha256-128,camellia256-cts-cmac,camellia128-cts-cmac,aes256-cts-hmac-sha1-96,aes128-cts-hmac-sha1-96
> allowed-enctypes=aes256-cts-hmac-sha384-192,aes256-cts-hmac-sha1-96
> allowed-enctypes=aes128-cts-hmac-sha256-128,aes256-cts-hmac-sha1-96
> allowed-enctypes=aes256-cts-hmac-sha384-192,aes128-cts-hmac-sha256-128,aes256-cts-hmac-sha1-96
>
> Working configurations (first is default sans aes256-cts-hmac-sha1-96):
> allowed-enctypes=aes256-cts-hmac-sha384-192,aes128-cts-hmac-sha256-128,camellia256-cts-cmac,camellia128-cts-cmac,aes128-cts-hmac-sha1-96
> allowed-enctypes=aes256-cts-hmac-sha384-192,aes128-cts-hmac-sha256-128
> allowed-enctypes=aes256-cts-hmac-sha384-192,aes128-cts-hmac-sha1-96
> allowed-enctypes=aes128-cts-hmac-sha256-128,aes128-cts-hmac-sha1-96
>
>
> Is this gssd mishandling some setup/initialization?
> Or is there a miscalculation happening somewhere further up?
Does Debian's user space Kerberos support the sha2 enctypes?
--
Chuck Lever
Reply to: