[OpenAFS] significant delay for afs user to login as root via su
Achim Gsell
achim.gsell@psi.ch
Thu, 18 Mar 2010 00:15:30 +0100
On Mar 17, 2010, at 10:52 PM, ematlis@yahoo.com wrote:
> My version of Linux is Fedora 12 x86_64. Here is my /etc/pam.d/su:
>=20
> #%PAM-1.0
> auth sufficient pam_rootok.so
> # Uncomment the following line to implicitly trust users in the =
"wheel" group.
> #auth sufficient pam_wheel.so trust use_uid
> # Uncomment the following line to require a user to be in the "wheel" =
group.
> #auth required pam_wheel.so use_uid
> auth include system-auth
> account sufficient pam_succeed_if.so uid =3D 0 =
use_uid quiet
> account include system-auth
> password include system-auth
> session include system-auth
> session optional pam_xauth.so
>=20
> Since pam_afs_session.so is not listed, I'd guess you are right, and =
that is not the source of the delay.
>=20
> If any other thoughts come to mind, let me know.
>=20
May be it's a problem with xauth and home directory on AFS. The PAM =
module pam_xauth runs something like=20
xauth -f /afs/psi.ch/user/g/gsell/.Xauthority nlist pc4506/unix:10.0
but at this moment you don't have write access to your home directory =
any more:
stat64("/afs/psi.ch/user/g/gsell/.Xauthority-c", 0xbfa96b80) =3D -1 =
ENOENT (No such file or directory)
open("/afs/psi.ch/user/g/gsell/.Xauthority-c", O_WRONLY|O_CREAT|O_EXCL, =
0600) =3D -1 EACCES (Permission denied)
rt_sigprocmask(SIG_BLOCK, [CHLD], [], 8) =3D 0
rt_sigaction(SIGCHLD, NULL, {SIG_DFL}, 8) =3D 0
rt_sigprocmask(SIG_SETMASK, [], NULL, 8) =3D 0
nanosleep({2, 0}, {2, 0}) =3D 0
open("/afs/psi.ch/user/g/gsell/.Xauthority-c", O_WRONLY|O_CREAT|O_EXCL, =
0600) =3D -1 EACCES (Permission denied)
rt_sigprocmask(SIG_BLOCK, [CHLD], [], 8) =3D 0
rt_sigaction(SIGCHLD, NULL, {SIG_DFL}, 8) =3D 0
rt_sigprocmask(SIG_SETMASK, [], NULL, 8) =3D 0
nanosleep({2, 0}, {2, 0}) =3D 0
open("/afs/psi.ch/user/g/gsell/.Xauthority-c", O_WRONLY|O_CREAT|O_EXCL, =
0600) =3D -1 EACCES (Permission denied)
rt_sigprocmask(SIG_BLOCK, [CHLD], [], 8) =3D 0
rt_sigaction(SIGCHLD, NULL, {SIG_DFL}, 8) =3D 0
rt_sigprocmask(SIG_SETMASK, [], NULL, 8) =3D 0
nanosleep({2, 0}, {2, 0}) =3D 0
open("/afs/psi.ch/user/g/gsell/.Xauthority-c", O_WRONLY|O_CREAT|O_EXCL, =
0600) =3D -1 EACCES (Permission denied)
rt_sigprocmask(SIG_BLOCK, [CHLD], [], 8) =3D 0
rt_sigaction(SIGCHLD, NULL, {SIG_DFL}, 8) =3D 0
rt_sigprocmask(SIG_SETMASK, [], NULL, 8) =3D 0
nanosleep({2, 0}, {2, 0}) =3D 0
open("/afs/psi.ch/user/g/gsell/.Xauthority-c", O_WRONLY|O_CREAT|O_EXCL, =
0600) =3D -1 EACCES (Permission denied)
rt_sigprocmask(SIG_BLOCK, [CHLD], [], 8) =3D 0
rt_sigaction(SIGCHLD, NULL, {SIG_DFL}, 8) =3D 0
rt_sigprocmask(SIG_SETMASK, [], NULL, 8) =3D 0
nanosleep({2, 0}, {2, 0}) =3D 0
open("/afs/psi.ch/user/g/gsell/.Xauthority-c", O_WRONLY|O_CREAT|O_EXCL, =
0600) =3D -1 EACCES (Permission denied)
rt_sigprocmask(SIG_BLOCK, [CHLD], [], 8) =3D 0
rt_sigaction(SIGCHLD, NULL, {SIG_DFL}, 8) =3D 0
rt_sigprocmask(SIG_SETMASK, [], NULL, 8) =3D 0
nanosleep({2, 0}, {2, 0}) =3D 0
open("/afs/psi.ch/user/g/gsell/.Xauthority-c", O_WRONLY|O_CREAT|O_EXCL, =
0600) =3D -1 EACCES (Permission denied)
rt_sigprocmask(SIG_BLOCK, [CHLD], [], 8) =3D 0
rt_sigaction(SIGCHLD, NULL, {SIG_DFL}, 8) =3D 0
rt_sigprocmask(SIG_SETMASK, [], NULL, 8) =3D 0
nanosleep({2, 0}, {2, 0}) =3D 0
open("/afs/psi.ch/user/g/gsell/.Xauthority-c", O_WRONLY|O_CREAT|O_EXCL, =
0600) =3D -1 EACCES (Permission denied)
rt_sigprocmask(SIG_BLOCK, [CHLD], [], 8) =3D 0
rt_sigaction(SIGCHLD, NULL, {SIG_DFL}, 8) =3D 0
rt_sigprocmask(SIG_SETMASK, [], NULL, 8) =3D 0
nanosleep({2, 0}, {2, 0}) =3D 0
open("/afs/psi.ch/user/g/gsell/.Xauthority-c", O_WRONLY|O_CREAT|O_EXCL, =
0600) =3D -1 EACCES (Permission denied)
rt_sigprocmask(SIG_BLOCK, [CHLD], [], 8) =3D 0
rt_sigaction(SIGCHLD, NULL, {SIG_DFL}, 8) =3D 0
rt_sigprocmask(SIG_SETMASK, [], NULL, 8) =3D 0
nanosleep({2, 0}, {2, 0}) =3D 0
open("/afs/psi.ch/user/g/gsell/.Xauthority-c", O_WRONLY|O_CREAT|O_EXCL, =
0600) =3D -1 EACCES (Permission denied)
rt_sigprocmask(SIG_BLOCK, [CHLD], [], 8) =3D 0
rt_sigaction(SIGCHLD, NULL, {SIG_DFL}, 8) =3D 0
rt_sigprocmask(SIG_SETMASK, [], NULL, 8) =3D 0
nanosleep({2, 0}, {2, 0}) =3D 0
write(2, "xauth: timeout in locking autho"..., 79xauth: timeout in =
locking authority file /afs/psi.ch/user/g/gsell/.Xauthority
) =3D 79
exit_group(1) =3D ?
So one call to xauth takes 20 seconds before timing out. The pam_xauth =
calls xauth more than once ...
Achim
> Thanks,
> eric
>=20
> --- On Wed, 3/17/10, Russ Allbery <rra@stanford.edu> wrote:
>=20
>> From: Russ Allbery <rra@stanford.edu>
>> Subject: Re: [OpenAFS] significant delay for afs user to login as =
root via su
>> To: ematlis@yahoo.com
>> Cc: "Simon Wilkinson" <sxw@inf.ed.ac.uk>, openafs-info@openafs.org
>> Date: Wednesday, March 17, 2010, 4:48 PM
>> ematlis@yahoo.com
>> writes:
>>=20
>>> Well, there's nothing in /var/log/messages
>> either. As for checking the
>>> PAM configuration for su, can you elaborate? I'm
>> a beginner at this, so
>>> you may have to provide details.
>>=20
>> I don't know what version of Linux you're using, but as a
>> general rule of
>> thumb, look in /etc/pam.d/su and make sure that it's
>> including your shared
>> PAM configuration that you're thinking you're using and you
>> don't have
>> some other reference to pam_afs_session in there that
>> doesn't have the
>> debug line.
>>=20
>> Failing that, well, all the evidence so far indicates that
>> pam_afs_session
>> isn't being run at all for su, and hence can't be the
>> source of your
>> problems.
>>=20
>> --=20
>> Russ Allbery (rra@stanford.edu)=20
>> <http://www.eyrie.org/~eagle/>
>>=20
>=20
>=20
>=20
> _______________________________________________
> OpenAFS-info mailing list
> OpenAFS-info@openafs.org
> https://lists.openafs.org/mailman/listinfo/openafs-info