[OpenAFS] significant delay for afs user to login as root via su

Russ Allbery rra@stanford.edu
Wed, 17 Mar 2010 13:54:07 -0700

Simon Wilkinson <sxw@inf.ed.ac.uk> writes:
> On 17 Mar 2010, at 20:24, ematlis@yahoo.com wrote:

>> I have noticed a significant delay (30 seconds or more) for a user
>> logged in through an AFS account to open the root account via the
>> command "su".  This delay does not happen for a local account.  I'm not
>> sure where to start looking for this one. Any ideas?

> Are you using pam_afs_session? We've just discovered that when that is
> enabled in the su stack, becoming root takes a very long time, whether
> or not you have set the minimum_uid or not. The simple solution is to
> not run pam_afs_session in the 'su' stack.

> More investigation is required into what's actually going wrong, but
> nobody here has had a chance to do so yet. Given that just removing
> pam_afs_session from the su stack gives us the behaviour we want, I'm
> not sure how much more investigation we'll end up doing.

> It might be worth speaking to Russ to see if anyone else is seeing this
> problem, or he might chime in here.

I run su all the time on systems that do not use a distinct PAM stack for
su and have pam-afs-session configured, and I've never seen this.  (And I
know pam-afs-session is running, since I get a new PAG after I su.)

Could you add "debug" to the end of the pam_afs_session PAM configuration
line and then show me the resulting syslog messages after an su?

Russ Allbery (rra@stanford.edu)             <http://www.eyrie.org/~eagle/>