[OpenAFS] Fw: Re: significant delay for afs user to login as root via su

ematlis@yahoo.com ematlis@yahoo.com
Tue, 30 Mar 2010 07:30:43 -0700 (PDT)


Meant to post here as well...=0A=0A--- On Tue, 3/30/10, ematlis@yahoo.com <=
ematlis@yahoo.com> wrote:=0A=0A> From: ematlis@yahoo.com <ematlis@yahoo.com=
>=0A> Subject: Re: significant delay for afs user to login as root via su=
=0A> To: "Andrew Deason" <adeason@sinenomine.net>=0A> Date: Tuesday, March =
30, 2010, 9:26 AM=0A> Yes, I am at Notre Dame.=A0 =0A> =0A> The problems I =
was having yesterday continue; I can't seem=0A> to find anything that could=
 have triggered it.=A0 I'm=0A> re-compiling a kernel; the kernel I was usin=
g was built=0A> based on Fedora's latest, minus the IMA security feature bu=
t=0A> also with optimizing for the Hammer cpu architecture.=A0=0A> I'm re-c=
ompiling to go back to generic x86_64 cpu (while=0A> still not including su=
pport for IMA).=A0 Part of the=0A> problem symptom is this in my dmesg outp=
ut:=0A> afs: Lost contact with file server 129.74.223.21 in cell=0A> nd.edu=
 (all multi-homed ip addresses down for the server)=0A> =0A> By the way, ad=
ding =0A> =0A> XAUTHORITY=A0 =A0 =A0=0A> DEFAULT=3D/tmp/${\$}.Xauthority=A0=
=A0=A0OVERRIDE=3D/var/tmp/@{PAM_USER}.Xauthority=0A> =0A> to /etc/security/=
pam_env.conf just made it impossible for=0A> logins at the console- the scr=
een would go blank after=0A> putting in the password, and then revert back =
to the login=0A> prompt.=0A> =0A> thanks,=0A> eric=0A>  =0A> =0A> However, =
when I add the =0A> =0A> --- On Tue, 3/30/10, Andrew Deason <adeason@sineno=
mine.net>=0A> wrote:=0A> =0A> > From: Andrew Deason <adeason@sinenomine.net=
>=0A> > Subject: Re: significant delay for afs user to login=0A> as root vi=
a su=0A> > To: "ematlis@yahoo.com"=0A> <ematlis@yahoo.com>=0A> > Date: Tues=
day, March 30, 2010, 12:04 AM=0A> > On Mon, 29 Mar 2010 12:36:57 -0500=0A> =
> "ematlis@yahoo.com"=0A> > <ematlis@yahoo.com>=0A> > wrote:=0A> > =0A> > >=
 Thanks for the follow up.=A0 I was about to=0A> > implement that suggestio=
n,=0A> > > but I just discovered I'm having some problems=0A> with=0A> > lo=
gins.=0A> > =0A> > Sorry for not responding earlier today. It looks like=0A=
> any=0A> > external email=0A> > to me that came after around noon was dela=
yed until=0A> after=0A> > 5pm today, so=0A> > I didn't see this until after=
 I got off work.=0A> > =0A> > Also, if you post this to openafs-info, you w=
ill get=0A> more=0A> > response :)=0A> > There's also a #openafs IRC channe=
l, though I don't=0A> hang=0A> > out there.=0A> > =0A> > By the way, are yo=
u the Eric Matlis from U of Notre=0A> Dame,=0A> > by any chance?=0A> > =0A>=
 > > I'm seeing this in my /var/log/messages:=0A> > > =0A> > [...]=0A> > > =
=0A> > > This is happening with any user that logs in.=A0=0A> > It's taking=
 for ever=0A> > > for their log in process to complete as a=0A> result.=0A>=
 > =0A> > All users, including connecting via SSH? Those look=0A> like=0A> =
> messages coming=0A> > from console logins (via e.g. GDM).=0A> > =0A> > An=
yway, you're not getting tokens on login, or at=0A> least not=0A> > early e=
nough=0A> > in the process. Adding 'debug' to the=0A> pam_afs_session.so=0A=
> > and the=0A> > pam_krb5.so lines in your 'auth' stack in=0A> system-auth=
-ac,=0A> > and looking at=0A> > the logs, could help. (I assume your /etc/p=
am.d/gdm=0A> says to=0A> > include=0A> > stuff from system-auth-ac?)=0A> > =
=0A> > However, just a guess going by your posted PAM=0A> config...=0A> > y=
ou didn't=0A> > happen to create users with local accounts and=0A> password=
s as=0A> > well as=0A> > setting them up in kerberos, did you? Users can=0A=
> > authenticate locally=0A> > successfully, even if kerberos auth fails. I=
f kerberos=0A> auth=0A> > fails, you=0A> > won't have tickets and won't be =
able to get AFS=0A> tokens.=0A> > =0A> > -- =0A> > Andrew Deason=0A> > adea=
son@sinenomine.net=0A> > =0A> =0A> =0A> =0A> =0A=0A=0A