[SPAM] [OpenAFS] each sudo hangs for 30s
Cheyenne Wills
cwills@sinenomine.net
Wed, 4 Mar 2026 18:58:50 -0700
On Wed, 4 Mar 2026 20:09:26 -0500
Ernesto Alfonso <erjoalgo@gmail.com> wrote:
> Hello,
>
> Each of my sudo calls hang for 30 seconds or more, slowing everything
> down.
>
....
>
> How do I force sudo to be local-only and skip trying to talk to a
> remote server?
>
....
>
>
> And I see that `common-account` includes this "required pam_krb5" line
> towards the end:
>
> #
> > # /etc/pam.d/common-account - authorization settings common to all
> > services #
>
> #
> > # ...
> > #
>
> # and here are more per-package modules (the "Additional" block)
> > account required pam_krb5.so minimum_uid=1000
> > # end of pam-auth-update config
> >
>
> I tried removing this line but it made no difference.
>
> Any help would be appreciated.
>
> Ernesto
This really isn't an AFS problem, but just a PAM configuration on how
it interacts with kerberos.
Before changing the pam.d configuration, I would suggest discussing any
proposed changes with your site's security or tech support team, or at
least closely review and understand what is being changed.
What you commented out (account required pam_krb5.so...) is only used
during account validation. You need to look at the auth and session
settings that are being picked up in your sudo pam settings.
If you really want to decouple sudo from the kerberos check, try
something like the following to replace the @include common-auth with
the standard UNIX auth modules:
session required pam_limits.so
auth sufficient pam_unix.so
auth required pam_deny.so
@include common-account
@include common-session-noninteractive
Or -- reorder the location of the pam_krb5.so so that it's after
pam_unix.so and the pam_krb5.so is marked as sufficient.
--
Cheyenne Wills
cwills@sinenomine.net