home bbs files messages ]

Forums before death by AOL, social media and spammers... "We can't have nice things"

   linux.debian.kernel      Debian kernel discussions      2,884 messages   

[   << oldest   |   < older   |   list   |   newer >   |   newest >>   ]

   Message 1,577 of 2,884   
   Scott Mayhew to Tyler W. Ross   
   Bug#1120598: ls input/output error ("NFS   
   18 Nov 25 00:10:01   
   
   XPost: linux.debian.bugs.dist, linux.kernel   
   From: smayhew@redhat.com   
      
   On Mon, 17 Nov 2025, Tyler W. Ross wrote:   
      
   > Weird behavior I just discovered:   
   >   
   > Explicitly setting allowed-enctypes in the gssd section of /etc/nfs.conf   
   > to exclude aes256-cts-hmac-sha1-96 makes both SHA2 ciphers work as   
   > expected (assuming each is allowed).   
   >   
   > If allowed-enctypes is unset (letting gssd interrogate the kernel for   
   > supported enctypes) or includes aes256-cts-hmac-sha1-96, then the XDR   
   > overflow occurs.   
   >   
   > Non-working configurations (first is the commented-out default in nfs.conf):   
   > allowed-enctypes=aes256-cts-hmac-sha384-192,aes128-cts-hmac-sh   
   256-128,camellia256-cts-cmac,camellia128-cts-cmac,aes256-cts-hma   
   -sha1-96,aes128-cts-hmac-sha1-96   
   > allowed-enctypes=aes256-cts-hmac-sha384-192,aes256-cts-hmac-sha1-96   
   > allowed-enctypes=aes128-cts-hmac-sha256-128,aes256-cts-hmac-sha1-96   
   > allowed-enctypes=aes256-cts-hmac-sha384-192,aes128-cts-hmac-sh   
   256-128,aes256-cts-hmac-sha1-96   
   >   
   > Working configurations (first is default sans aes256-cts-hmac-sha1-96):   
   > allowed-enctypes=aes256-cts-hmac-sha384-192,aes128-cts-hmac-sh   
   256-128,camellia256-cts-cmac,camellia128-cts-cmac,aes128-cts-hmac-sha1-96   
   > allowed-enctypes=aes256-cts-hmac-sha384-192,aes128-cts-hmac-sha256-128   
   > allowed-enctypes=aes256-cts-hmac-sha384-192,aes128-cts-hmac-sha1-96   
   > allowed-enctypes=aes128-cts-hmac-sha256-128,aes128-cts-hmac-sha1-96   
   >   
      
   That doesn't really make sense.  You should only need to use the   
   allowed-enctypes setting if you're talking to an NFS server that doesn't   
   have support for the new encryption types.   
      
   It basically works like the "permitted_enctypes" option in krb5.conf,   
   except it only affects NFS rather than affecting your krb5 configuration   
   as a whole.   
      
   Can you go back and re-do the tracepoint capture, except this time   
   umount your NFS filessytems before starting the capture (i.e. perform   
   the mount command while trace-cmd is running).  I'm curious what values   
   the rpcgss_update_slack tracepoint shows.   
      
   >   
   > Is this gssd mishandling some setup/initialization?   
   > Or is there a miscalculation happening somewhere further up?   
   >   
   >   
   > TWR   
   >   
      
   --- SoupGate-Win32 v1.05   
    * Origin: you cannot sedate... all the things you hate (1:229/2)   

[   << oldest   |   < older   |   list   |   newer >   |   newest >>   ]


(c) 1994,  bbs@darkrealms.ca