[OpenAFS] each sudo hangs for 30s

Ernesto Alfonso erjoalgo@gmail.com
Wed, 4 Mar 2026 20:09:26 -0500 

--0000000000001c8b1c064c3c9707
Content-Type: text/plain; charset="UTF-8"

Hello,

Each of my sudo calls hang for 30 seconds or more, slowing everything down.

strace shows that they are attempting to contact my AFS/kerberos server at
port 88, presumably for kerberos authentication.

$ sudo strace -f sudo echo hola
>
...

[pid 92343] newfstatat(AT_FDCWD, "/etc/nsswitch.conf",
> {st_mode=S_IFREG|0644, st_size=586, ...}, 0) = 0
> [pid 92343] newfstatat(AT_FDCWD, "/etc/resolv.conf",
> {st_mode=S_IFREG|0644, st_size=508, ...}, 0) = 0
> [pid 92343] openat(AT_FDCWD, "/etc/hosts", O_RDONLY|O_CLOEXEC) = 3
>
> [pid 92343] fstat(3, {st_mode=S_IFREG|0644, st_size=303, ...}) = 0
>
> [pid 92343] lseek(3, 0, SEEK_SET)       = 0
>
> [pid 92343] read(3, "127.0.0.1\tphantom\n127.0.0.1\tloca"..., 4096) = 303
>
> [pid 92343] read(3, "", 4096)           = 0
>
> [pid 92343] close(3)                    = 0
>
> [pid 92343] socket(AF_INET, SOCK_DGRAM, IPPROTO_IP) = 3
>
> [pid 92343] fcntl(3, F_SETFD, FD_CLOEXEC) = 0
>
> [pid 92343] ioctl(3, FIONBIO, [1])      = 0
>
> [pid 92343] connect(3, {sa_family=AF_INET, sin_port=htons(88),
> sin_addr=inet_addr("192.168.0.142")}, 16)
> = 0
>
> [pid 92343] sendto(3,
> "l\202\4*0\202\4&\241\3\2\1\5\242\3\2\1\f\243\202\3\2320\202\3\2260\202\2\251\241\3
> "..., 1070, 0, NULL, 0) = 1070
>
> [pid 92343] poll([{fd=3, events=POLLIN}], 1, 1000) = 0 (Timeout)
> ...



>

How do I force sudo to be local-only and skip trying to talk to a remote
server?

I modified nsswitch as below to try to skip any DNS-related calls:

> # /etc/nsswitch.conf
> #
> # Example configuration of GNU Name Service Switch functionality.
> # If you have the `glibc-doc-reference' and `info' packages installed, try:
> # `info libc "Name Service Switch"' for information about this file.
>
> passwd:         files systemd
> group:          files systemd
> shadow:         files systemd
> gshadow:        files systemd
>
> hosts:          files # mdns4_minimal dns [NOTFOUND=return] dns mymachines
> myhostname
> networks:       files
>
> protocols:      db files
> services:       db files
> ethers:         db files
> rpc:            db files
>
> netgroup:       nis
>

My local machine is part of a local openafs cell, I normally use `kinit`
and `aklog` to acquire Kerberos tokens whenever I need to access openafs.

My /etc/pam.d/sudo looks like this:

#%PAM-1.0
>
> # Set up user limits from /etc/security/limits.conf.
> session    required   pam_limits.so
>
> @include common-auth
> @include common-account
> @include common-session-noninteractive
>


And I see that `common-account` includes this "required pam_krb5" line
towards the end:

#
> # /etc/pam.d/common-account - authorization settings common to all services
> #

#
> # ...
> #

# and here are more per-package modules (the "Additional" block)
> account required pam_krb5.so minimum_uid=1000
> # end of pam-auth-update config
>

I tried removing this line but it made no difference.

Any help would be appreciated.

Ernesto

--0000000000001c8b1c064c3c9707
Content-Type: text/html; charset="UTF-8"
Content-Transfer-Encoding: quoted-printable

<div dir=3D"ltr">Hello,<div><br></div><div>Each of my sudo calls hang for 3=
0 seconds or more, slowing everything down.</div><div><br></div><div>strace=
 shows that they are attempting to contact my AFS/kerberos server at port 8=
8, presumably for kerberos authentication.=C2=A0</div><div><br></div><block=
quote class=3D"gmail_quote" style=3D"margin:0px 0px 0px 0.8ex;border-left:1=
px solid rgb(204,204,204);padding-left:1ex">$ sudo strace -f sudo echo hola=
<br></blockquote><blockquote class=3D"gmail_quote" style=3D"margin:0px 0px =
0px 0.8ex;border-left:1px solid rgb(204,204,204);padding-left:1ex">...</blo=
ckquote><blockquote class=3D"gmail_quote" style=3D"margin:0px 0px 0px 0.8ex=
;border-left:1px solid rgb(204,204,204);padding-left:1ex">[pid 92343] newfs=
tatat(AT_FDCWD, &quot;/etc/nsswitch.conf&quot;, {st_mode=3DS_IFREG|0644, st=
_size=3D586, ...}, 0) =3D 0 =C2=A0<br>[pid 92343] newfstatat(AT_FDCWD, &quo=
t;/etc/resolv.conf&quot;, {st_mode=3DS_IFREG|0644, st_size=3D508, ...}, 0) =
=3D 0 =C2=A0 =C2=A0<br>[pid 92343] openat(AT_FDCWD, &quot;/etc/hosts&quot;,=
 O_RDONLY|O_CLOEXEC) =3D 3 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0=
 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=
=A0 =C2=A0<br> [pid 92343] fstat(3, {st_mode=3DS_IFREG|0644, st_size=3D303,=
 ...}) =3D 0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0=
 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0<br> =
[pid 92343] lseek(3, 0, SEEK_SET) =C2=A0 =C2=A0 =C2=A0 =3D 0 =C2=A0 =C2=A0 =
=C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=
=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =
=C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0<br>[pid 92343] read=
(3, &quot;127.0.0.1\tphantom\n127.0.0.1\tloca&quot;..., 4096) =3D 303 =C2=
=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =
=C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0<br>[pid 92343] read(3, &quot;&quot;, 409=
6) =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =3D 0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=
=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =
=C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=
=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0<br>[pid 92343] close(3) =C2=A0 =C2=
=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0=3D 0 =C2=A0 =C2=
=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =
=C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=
=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0<br>[pid 92343] =
socket(AF_INET, SOCK_DGRAM, IPPROTO_IP) =3D 3 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =
=C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=
=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0<b=
r>[pid 92343] fcntl(3, F_SETFD, FD_CLOEXEC) =3D 0 =C2=A0 =C2=A0 =C2=A0 =C2=
=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =
=C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=
=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0<br>[pid 92343] ioctl(3, FIONBIO, [1]=
) =C2=A0 =C2=A0 =C2=A0=3D 0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=
=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =
=C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=
=A0 =C2=A0 =C2=A0 =C2=A0<br>[pid 92343] connect(3, {sa_family=3DAF_INET, si=
n_port=3Dhtons(88), sin_addr=3Dinet_addr(&quot;192.168.0.142&quot;)}, 16)<b=
r> =3D 0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=
=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =
=C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=
=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =
=C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0<br>[p=
id 92343] sendto(3, &quot;l\202\4*0\202\4&amp;\241\3\2\1\5\242\3\2\1\f\243\=
202\3\2320\202\3\2260\202\2\251\241\3<br>&quot;..., 1070, 0, NULL, 0) =3D 1=
070 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =
=C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=
=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =
=C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0<br> [pid 92343] poll([{fd=3D3, ev=
ents=3DPOLLIN}], 1, 1000) =3D 0 (Timeout)<br>...</blockquote><div>=C2=A0</d=
iv><blockquote class=3D"gmail_quote" style=3D"margin:0px 0px 0px 0.8ex;bord=
er-left:1px solid rgb(204,204,204);padding-left:1ex">=C2=A0</blockquote><di=
v>How do I force sudo to be local-only and skip trying to talk to a remote =
server?</div><div><br></div><div>I modified nsswitch as below to try to ski=
p any DNS-related calls:</div><blockquote class=3D"gmail_quote" style=3D"ma=
rgin:0px 0px 0px 0.8ex;border-left:1px solid rgb(204,204,204);padding-left:=
1ex"># /etc/nsswitch.conf<br>#<br># Example configuration of GNU Name Servi=
ce Switch functionality.<br># If you have the `glibc-doc-reference&#39; and=
 `info&#39; packages installed, try:<br># `info libc &quot;Name Service Swi=
tch&quot;&#39; for information about this file.<br><br>passwd: =C2=A0 =C2=
=A0 =C2=A0 =C2=A0 files systemd<br>group: =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=
=A0files systemd<br>shadow: =C2=A0 =C2=A0 =C2=A0 =C2=A0 files systemd<br>gs=
hadow: =C2=A0 =C2=A0 =C2=A0 =C2=A0files systemd<br><br>hosts: =C2=A0 =C2=A0=
 =C2=A0 =C2=A0 =C2=A0files # mdns4_minimal dns [NOTFOUND=3Dreturn] dns myma=
chines myhostname<br>networks: =C2=A0 =C2=A0 =C2=A0 files<br><br>protocols:=
 =C2=A0 =C2=A0 =C2=A0db files<br>services: =C2=A0 =C2=A0 =C2=A0 db files<br=
>ethers: =C2=A0 =C2=A0 =C2=A0 =C2=A0 db files<br>rpc: =C2=A0 =C2=A0 =C2=A0 =
=C2=A0 =C2=A0 =C2=A0db files<br><br>netgroup: =C2=A0 =C2=A0 =C2=A0 nis<br><=
/blockquote><div><br></div><div>My local machine is part of a local openafs=
 cell, I normally use `kinit` and `aklog` to acquire Kerberos tokens whenev=
er I need to access openafs.</div><div><br></div><div>My /etc/pam.d/sudo lo=
oks like this:</div><div><br></div><blockquote class=3D"gmail_quote" style=
=3D"margin:0px 0px 0px 0.8ex;border-left:1px solid rgb(204,204,204);padding=
-left:1ex">#%PAM-1.0<br><br># Set up user limits from /etc/security/limits.=
conf.<br>session =C2=A0 =C2=A0required =C2=A0 pam_limits.so<br><br>@include=
 common-auth<br>@include common-account<br>@include common-session-noninter=
active<br></blockquote><div><br></div><div><br></div><div>And I see that `c=
ommon-account` includes this &quot;required pam_krb5&quot; line towards the=
 end:</div><div><br></div><blockquote class=3D"gmail_quote" style=3D"margin=
:0px 0px 0px 0.8ex;border-left:1px solid rgb(204,204,204);padding-left:1ex"=
>#<br># /etc/pam.d/common-account - authorization settings common to all se=
rvices<br>#</blockquote><blockquote class=3D"gmail_quote" style=3D"margin:0=
px 0px 0px 0.8ex;border-left:1px solid rgb(204,204,204);padding-left:1ex">#=
<br># ...<br>#</blockquote><blockquote class=3D"gmail_quote" style=3D"margi=
n:0px 0px 0px 0.8ex;border-left:1px solid rgb(204,204,204);padding-left:1ex=
"># and here are more per-package modules (the &quot;Additional&quot; block=
)<br>account	required			pam_krb5.so minimum_uid=3D1000<br># end of pam-auth=
-update config<br></blockquote><div><br></div><div>I tried removing this li=
ne but it made no difference.=C2=A0</div><div><br></div><div>Any help would=
 be appreciated.</div><div>=C2=A0</div><div>Ernesto</div><div><br></div></d=
iv>

--0000000000001c8b1c064c3c9707--