Bug#1120598: ls input/output error ("NFS: readdir(/) returns -5") on krb5 NFSv4 client using SHA2
- To: "Tyler W. Ross" <TWR@tylerwross.com>
- Cc: Scott Mayhew <smayhew@redhat.com>, Trond Myklebust <trondmy@kernel.org>, Chuck Lever <chuck.lever@oracle.com>, Anna Schumaker <anna@kernel.org>, "1120598@bugs.debian.org" <1120598@bugs.debian.org>, Jeff Layton <jlayton@kernel.org>, NeilBrown <neil@brown.name>, Steve Dickson <steved@redhat.com>, Olga Kornievskaia <okorniev@redhat.com>, Dai Ngo <Dai.Ngo@oracle.com>, Tom Talpey <tom@talpey.com>, linux-nfs@vger.kernel.org, linux-kernel@vger.kernel.org, Simon Josefsson <simon@josefsson.org>
- Subject: Bug#1120598: ls input/output error ("NFS: readdir(/) returns -5") on krb5 NFSv4 client using SHA2
- From: Salvatore Bonaccorso <carnil@debian.org>
- Date: Wed, 19 Nov 2025 05:50:17 +0100
- Message-id: <[🔎] aR1MiaZYVc4kR8Yf@eldamar.lan>
- Reply-to: Salvatore Bonaccorso <carnil@debian.org>, 1120598@bugs.debian.org
- In-reply-to: <[🔎] 85cd9202-dc22-41b8-8a20-e82cd118215f@TylerWRoss.com>
- References: <[🔎] aRZL8kbmfbssOwKF@eldamar.lan> <[🔎] fVv3cF7Ulh3cKUP17C98gh_uOv9BcMlMpsIh1Nv5_0tdw-75PKiPJgIEP5o2jBVry7orwz7jeiGQenfCbuUxyj5JFstbx3RTFYr223qDmV0=@tylerwross.com> <[🔎] a6d1435b-f507-49eb-b80c-4322dc7e1157@oracle.com> <[🔎] Y79HV0VGpScPYqI_dDxeItkX2UZwSdReaUOpIeMeZXq2HLsHf5J_PTQqr7HrBYygICRsn-OB89QPrxPzjgv2smuzTThUPy_3fq_N1NprlUg=@tylerwross.com> <[🔎] 4a63ad3d-b53a-4eab-8ffb-dd206f52c20e@oracle.com> <902ff4995d8e75ad1cd2196bf7d8da42932fba35.camel@kernel.org> <[🔎] aRunktdq8sJ7Eecj@aion> <[🔎] db8b1ef4-afbb-4c23-b7f1-9ae688cef363@TylerWRoss.com> <[🔎] aRyyWy6hO1ueKf5_@aion> <[🔎] 85cd9202-dc22-41b8-8a20-e82cd118215f@TylerWRoss.com> <[🔎] 176298368872.955.14091113173156448257.reportbug@nfsclient-sid.ipa.twrlab.net>
Hi,
On Tue, Nov 18, 2025 at 11:43:29PM +0000, Tyler W. Ross wrote:
> On 11/18/25 10:52 AM, Scott Mayhew wrote:
> > Oh! I see the problem. If the automatically acquired service ticket
> > for a normal user is using aes256-cts-hmac-sha1-96, then I'm assuming
> > the machine credential is also using aes256-cts-hmac-sha1-96.
> > Run 'klist -ce /tmp/krb5ccmachine_IPA.TWRLAB.NET' to check. You can't
> > use 'kvno -e' to choose a different encryption type. Why are you doing
> > that?
>
> Aha! Thank you!
Thanks to all helping to debug this issue when reported downstream in
Debian, your time invested is very much appreciated!
> That's exactly the case: the machine credential is
> aes256-cts-hmac-sha1-96.
>
> So, taking a step back for context/background: this issue was escalated to
> me by someone attempting to use constrained delegation via gssproxy. In the
> course of troubleshooting that, we found (by examining the krb5kdc logs on
> the IPA server) that the NFS service ticket acquired by gssproxy had an
> aes256-cts-hmac-sha384-192 session key.
>
> Not understanding that the machine and user tickets must having matching
> enctypes, I ended up down this rabbit hole thinking the problem
> was with the SHA2 enctypes. Sorry to bring you all with me on that
> misadventure.
>
>
>
> The actual issue at hand then seems to be that gssproxy is requesting (and
> receiving) a service ticket with an unusable (for the NFS mount) enctype,
> when performing constrained delegation/S4U2Proxy.
>
> krb5kdc logs of gssproxy performing S4U2Self and S4U2Proxy:Nov 18 18:06:51
> directory.ipa.twrlab.net krb5kdc[8463](info): TGS_REQ (8 etypes
> {aes256-cts-hmac-sha1-96(18), aes128-cts-hmac-sha1-96(17),
> aes256-cts-hmac-sha384-192(20), aes128-cts-hmac-sha256-128(19),
> UNSUPPORTED:des3-hmac-sha1(16), DEPRECATED:arcfour-hmac(23),
> camellia128-cts-cmac(25), camellia256-cts-cmac(26)}) 10.108.2.105: ISSUE:
> authtime 1763506600, etypes {rep=aes256-cts-hmac-sha1-96(18),
> tkt=aes256-cts-hmac-sha384-192(20), ses=aes256-cts-hmac-sha1-96(18)},
> host/nfsclient.ipa.twrlab.net@IPA.TWRLAB.NET for
> host/nfsclient.ipa.twrlab.net@IPA.TWRLAB.NET
> Nov 18 18:06:51 directory.ipa.twrlab.net krb5kdc[8463](info):
> ... PROTOCOL-TRANSITION s4u-client=jsmith@IPA.TWRLAB.NET
> Nov 18 18:06:51 directory.ipa.twrlab.net krb5kdc[8463](info): closing down
> fd 4
> Nov 18 18:06:51 directory.ipa.twrlab.net krb5kdc[8465](info): TGS_REQ (4
> etypes {aes256-cts-hmac-sha384-192(20), aes128-cts-hmac-sha256-128(19),
> aes256-cts-hmac-sha1-96(18), aes128-cts-hmac-sha1-96(17)}) 10.108.2.105:
> ISSUE: authtime 1763506600, etypes {rep=aes256-cts-hmac-sha1-96(18),
> tkt=aes256-cts-hmac-sha384-192(20), ses=aes256-cts-hmac-sha384-192(20)},
> host/nfsclient.ipa.twrlab.net@IPA.TWRLAB.NET for
> nfs/nfssrv.ipa.twrlab.net@IPA.TWRLAB.NET
> Nov 18 18:06:51 directory.ipa.twrlab.net krb5kdc[8465](info): ...
> CONSTRAINED-DELEGATION s4u-client=jsmith@IPA.TWRLAB.NET
> Nov 18 18:06:51 directory.ipa.twrlab.net krb5kdc[8465](info): closing down
> fd 11
>
>
> On the Fedora 43 client, gssproxy also acquires an
> aes256-cts-hmac-sha384-192 service ticket, but the machine credential is
> aes256-cts-hmac-sha384-192 and everything works as-ex
> pected.
I'm looping in here the gssproxy maintainer as well. Simon, this is
about https://bugs.debian.org/1120598 . I assume there is nothing on
gssroxy side which can be done to warn about the situation, quoting
again:
> The actual issue at hand then seems to be that gssproxy is requesting (and
> receiving) a service ticket with an unusable (for the NFS mount) enctype,
> when performing constrained delegation/S4U2Proxy.
?
Regards,
Salvatore
Reply to: