[OpenAFS] pam_krb5 taking too long to authenticate
Russ Allbery
rra@stanford.edu
Wed, 02 Sep 2009 10:46:19 -0700
Michael Joyner =E1=8F=A9=E1=8F=AF <mjoyner@ewc.edu> writes:
> Is there a fix for this? I am having problems on a RocksCluster
> front-end with this. :(
>> We have been having problems with the pam_krb5 module. It takes a long
>> time 20-30 seconds after entering your password for a prompt to
>> return. We having been able to figure out this problem yet. Here is a
>> sample of output from syslog during a login.=20
>>
>> Of special interest is the 20 second jump at the following point:
>>> Oct 25 12:13:33 rfs2 sshd[5472]: pam_krb5[5472]: preparing to place v4
>>> credentials in '/tmp/tkt1529_Ic5472'
>>> Oct 25 12:13:52 rfs2 sshd[5472]: pam_krb5[5472]: could not obtain
>>> initial v4 creds: 7 (Argument list too long)
>>
>> Any advice on what is wrong or how to debug this further would be helpfu=
l.
The Red Hat pam_krb5 module always attempts to do Kerberos v4
authentication and can have some very long timeouts if it can't reach a
krb524d. The settings:
krb4_convert =3D false
krb4_convert_524 =3D false
in krb5.conf [appdefaults] may be helpful, or you can switch to my
Kerberos PAM module, which doesn't attempt to support Kerberos v4.
http://www.eyrie.org/~eagle/software/pam-krb5/
--=20
Russ Allbery (rra@stanford.edu) <http://www.eyrie.org/~eagle/>