[OpenAFS] pam_krb5 taking too long to authenticate

Russ Allbery rra@stanford.edu
Wed, 02 Sep 2009 10:46:19 -0700

Michael Joyner =E1=8F=A9=E1=8F=AF <mjoyner@ewc.edu> writes:

> Is there a fix for this? I am having problems on a RocksCluster
> front-end with this. :(

>> We have been having problems with the pam_krb5 module. It takes a long
>> time 20-30 seconds after entering your password for a prompt to
>> return. We having been able to figure out this problem yet. Here is a
>> sample of output from syslog during a login.=20
>> Of special interest is the 20 second jump at the following point:
>>> Oct 25 12:13:33 rfs2 sshd[5472]: pam_krb5[5472]: preparing to place v4
>>> credentials in '/tmp/tkt1529_Ic5472'
>>> Oct 25 12:13:52 rfs2 sshd[5472]: pam_krb5[5472]: could not obtain
>>> initial v4 creds: 7 (Argument list too long)
>> Any advice on what is wrong or how to debug this further would be helpfu=

The Red Hat pam_krb5 module always attempts to do Kerberos v4
authentication and can have some very long timeouts if it can't reach a
krb524d.  The settings:

    krb4_convert          =3D false
    krb4_convert_524      =3D false

in krb5.conf [appdefaults] may be helpful, or you can switch to my
Kerberos PAM module, which doesn't attempt to support Kerberos v4.


Russ Allbery (rra@stanford.edu)             <http://www.eyrie.org/~eagle/>