[SPAM] [OpenAFS] each sudo hangs for 30s
Ernesto Alfonso
erjoalgo@gmail.com
Wed, 4 Mar 2026 21:43:29 -0500
--00000000000081b739064c3de738
Content-Type: text/plain; charset="UTF-8"
Content-Transfer-Encoding: quoted-printable
Thank you for the response. I replaced "@include common-auth" with the
lines you mentioned, so that my /etc/pam.d/sudo looks like:
#%PAM-1.0
>
> # Set up user limits from /etc/security/limits.conf.
> # session required pam_limits.so
>
> # @include common-auth
>
> session required pam_limits.so
> auth sufficient pam_unix.so
> auth required pam_deny.so
>
> @include common-account
> @include common-session-noninteractive
>
I also reordered the lines in /etc/pam.d/common-auth:
auth [success=3D1 default=3Dignore] pam_unix.so nullok try_first_pass debug
> auth [success=3D2 default=3Dignore] pam_krb5.so minimum_uid=3D1000 debug
But my sudo is still taking long, and the strace still shows those network
calls.
Maybe I need to restart something? But this post
<https://unix.stackexchange.com/questions/363978/how-to-restart-pam-d-servi=
ce-after-changing-of-common-account-pc-or-common-auth#448280>
suggests
otherwise:
There is no PAM daemon. You do not need to reload anything for the changes
> to take effect.
Ernesto
On Wed, Mar 4, 2026 at 8:58=E2=80=AFPM Cheyenne Wills <cwills@sinenomine.ne=
t> wrote:
>
>
>
> On Wed, 4 Mar 2026 20:09:26 -0500
> Ernesto Alfonso <erjoalgo@gmail.com> wrote:
> > Hello,
> >
> > Each of my sudo calls hang for 30 seconds or more, slowing everything
> > down.
> >
> ....
> >
> > How do I force sudo to be local-only and skip trying to talk to a
> > remote server?
> >
> ....
> >
> >
> > And I see that `common-account` includes this "required pam_krb5" line
> > towards the end:
> >
> > #
> > > # /etc/pam.d/common-account - authorization settings common to all
> > > services #
> >
> > #
> > > # ...
> > > #
> >
> > # and here are more per-package modules (the "Additional" block)
> > > account required pam_krb5.so minimum_uid=3D1000
> > > # end of pam-auth-update config
> > >
> >
> > I tried removing this line but it made no difference.
> >
> > Any help would be appreciated.
> >
> > Ernesto
>
> This really isn't an AFS problem, but just a PAM configuration on how
> it interacts with kerberos.
>
> Before changing the pam.d configuration, I would suggest discussing any
> proposed changes with your site's security or tech support team, or at
> least closely review and understand what is being changed.
>
> What you commented out (account required pam_krb5.so...) is only used
> during account validation. You need to look at the auth and session
> settings that are being picked up in your sudo pam settings.
>
> If you really want to decouple sudo from the kerberos check, try
> something like the following to replace the @include common-auth with
> the standard UNIX auth modules:
>
> session required pam_limits.so
> auth sufficient pam_unix.so
> auth required pam_deny.so
>
> @include common-account
> @include common-session-noninteractive
>
> Or -- reorder the location of the pam_krb5.so so that it's after
> pam_unix.so and the pam_krb5.so is marked as sufficient.
>
> --
> Cheyenne Wills
> cwills@sinenomine.net
>
>
>
--00000000000081b739064c3de738
Content-Type: text/html; charset="UTF-8"
Content-Transfer-Encoding: quoted-printable
<div dir=3D"ltr">Thank you for the response. I replaced "@include comm=
on-auth" with the lines you mentioned, so that my=C2=A0/etc/pam.d/sudo=
looks like:<div><br></div><blockquote class=3D"gmail_quote" style=3D"margi=
n:0px 0px 0px 0.8ex;border-left:1px solid rgb(204,204,204);padding-left:1ex=
">#%PAM-1.0<br><br># Set up user limits from /etc/security/limits.conf.<br>=
# session =C2=A0 =C2=A0required =C2=A0 pam_limits.so<br><br># @include comm=
on-auth<br><br>session =C2=A0 =C2=A0required =C2=A0 pam_limits.so<br>auth =
=C2=A0 =C2=A0 =C2=A0 sufficient pam_unix.so<br>auth =C2=A0 =C2=A0 =C2=A0 re=
quired =C2=A0 pam_deny.so<br><br>@include common-account<br>@include common=
-session-noninteractive<br></blockquote><div><br></div><div>I also reordere=
d the lines in /etc/pam.d/common-auth:</div><div><br></div><blockquote clas=
s=3D"gmail_quote" style=3D"margin:0px 0px 0px 0.8ex;border-left:1px solid r=
gb(204,204,204);padding-left:1ex">auth [success=3D1 default=3Dignore] pam_u=
nix.so nullok try_first_pass debug<br>auth [success=3D2 default=3Dignore] p=
am_krb5.so minimum_uid=3D1000 debug</blockquote><div>=C2=A0</div><div>But m=
y sudo is still taking long, and the strace still shows those network calls=
.</div><div><br></div><div>Maybe I need to restart something? But this <a h=
ref=3D"https://unix.stackexchange.com/questions/363978/how-to-restart-pam-d=
-service-after-changing-of-common-account-pc-or-common-auth#448280">post</a=
>=C2=A0suggests otherwise:</div><div><br></div><blockquote class=3D"gmail_q=
uote" style=3D"margin:0px 0px 0px 0.8ex;border-left:1px solid rgb(204,204,2=
04);padding-left:1ex"><span style=3D"color:rgb(12,13,14);font-family:-apple=
-system,BlinkMacSystemFont,"Segoe UI Adjusted","Segoe UI&quo=
t;,"Liberation Sans",sans-serif;font-size:15px">There is no PAM d=
aemon. You do not need to reload anything for the changes to take effect.</=
span></blockquote><div><br></div><div>Ernesto=C2=A0</div></div><br><div cla=
ss=3D"gmail_quote gmail_quote_container"><div dir=3D"ltr" class=3D"gmail_at=
tr">On Wed, Mar 4, 2026 at 8:58=E2=80=AFPM Cheyenne Wills <<a href=3D"ma=
ilto:cwills@sinenomine.net">cwills@sinenomine.net</a>> wrote:<br></div><=
blockquote class=3D"gmail_quote" style=3D"margin:0px 0px 0px 0.8ex;border-l=
eft:1px solid rgb(204,204,204);padding-left:1ex"><br>
<br>
<br>
On Wed, 4 Mar 2026 20:09:26 -0500<br>
Ernesto Alfonso <<a href=3D"mailto:erjoalgo@gmail.com" target=3D"_blank"=
>erjoalgo@gmail.com</a>> wrote:<br>
> Hello,<br>
> <br>
> Each of my sudo calls hang for 30 seconds or more, slowing everything<=
br>
> down.<br>
> <br>
....<br>
> <br>
> How do I force sudo to be local-only and skip trying to talk to a<br>
> remote server?<br>
> <br>
....<br>
> <br>
> <br>
> And I see that `common-account` includes this "required pam_krb5&=
quot; line<br>
> towards the end:<br>
> <br>
> #<br>
> > # /etc/pam.d/common-account - authorization settings common to al=
l<br>
> > services #<br>
> <br>
> #<br>
> > # ...<br>
> > #<br>
> <br>
> # and here are more per-package modules (the "Additional" bl=
ock)<br>
> > account required pam_krb5.so minimum_uid=3D1000<br>
> > # end of pam-auth-update config<br>
> ><br>
> <br>
> I tried removing this line but it made no difference.<br>
> <br>
> Any help would be appreciated.<br>
> <br>
> Ernesto<br>
<br>
This really isn't an AFS problem, but just a PAM configuration on how<b=
r>
it interacts with kerberos.<br>
<br>
Before changing the pam.d configuration, I would suggest discussing any<br>
proposed changes with your site's security or tech support team, or at<=
br>
least closely review and understand what is being changed.<br>
<br>
What you commented out (account required pam_krb5.so...) is only used<br>
during account validation.=C2=A0 You need to look at the auth and session<b=
r>
settings that are being picked up in your sudo pam settings.<br>
<br>
If you really want to decouple sudo from the kerberos check, try<br>
something like the following to replace the @include common-auth with<br>
the standard UNIX auth modules:<br>
<br>
=C2=A0 =C2=A0 session=C2=A0 =C2=A0 required=C2=A0 =C2=A0pam_limits.so<br>
=C2=A0 =C2=A0 auth=C2=A0 =C2=A0 =C2=A0 =C2=A0sufficient pam_unix.so<br>
=C2=A0 =C2=A0 auth=C2=A0 =C2=A0 =C2=A0 =C2=A0required=C2=A0 =C2=A0pam_deny.=
so<br>
<br>
=C2=A0 =C2=A0 @include common-account<br>
=C2=A0 =C2=A0 @include common-session-noninteractive<br>
<br>
Or -- reorder the location of the pam_krb5.so so that it's after<br>
pam_unix.so and the pam_krb5.so is marked as sufficient.<br>
<br>
-- <br>
Cheyenne Wills<br>
<a href=3D"mailto:cwills@sinenomine.net" target=3D"_blank">cwills@sinenomin=
e.net</a><br>
<br>
<br>
</blockquote></div>
--00000000000081b739064c3de738--