[OpenAFS] significant delay for afs user to login as root via su

ematlis@yahoo.com ematlis@yahoo.com
Wed, 17 Mar 2010 14:04:49 -0700 (PDT)

Yes, I am using pam_afs_session.  You've lost me about not using it in the =
su stack.  Can you elaborate?  Here's my system-auth-ac if it helps...=0A=
=0Aauth        required      pam_env.so=0Aauth        sufficient    pam_fpr=
intd.so=0Aauth        sufficient    pam_unix.so nullok try_first_pass=0Aaut=
h        [success=3Dok default=3D1]    pam_krb5.so use_first_pass minimum_u=
id=3D100=0Aauth      [default=3Ddone]  pam_afs_session.so program=3D/usr/bi=
n/aklog=0Aauth        requisite     pam_succeed_if.so uid >=3D 500 quiet=0A=
auth        required      pam_deny.so=0A=0Aaccount     required      pam_un=
ix.so=0Aaccount     sufficient    pam_localuser.so=0Aaccount     sufficient=
    pam_succeed_if.so uid < 500 quiet=0Aaccount     [default=3Dbad success=
=3Dok user_unknown=3Dignore] pam_krb5.so minimum_uid=3D100=0Aaccount     re=
quired      pam_permit.so=0A=0Apassword    requisite     pam_cracklib.so tr=
y_first_pass retry=3D3=0Apassword    sufficient    pam_unix.so sha512 shado=
w nullok try_first_pass use_authtok=0Apassword    required      pam_deny.so=
=0A=0Asession     optional      pam_krb5.so=0Asession     required      pam=
_afs_session.so program=3D/usr/bin/aklog=0Asession     optional      pam_ke=
yinit.so revoke=0Asession     required      pam_limits.so=0Asession     [su=
ccess=3D1 default=3Dignore] pam_succeed_if.so service in crond quiet use_ui=
d=0Asession     required      pam_unix.so=0A=0A=0AThanks,=0Aeric=0A=0A--- O=
n Wed, 3/17/10, Simon Wilkinson <sxw@inf.ed.ac.uk> wrote:=0A=0A> From: Simo=
n Wilkinson <sxw@inf.ed.ac.uk>=0A> Subject: Re: [OpenAFS] significant delay=
 for afs user to login as root via su=0A> To: ematlis@yahoo.com=0A> Cc: ope=
nafs-info@openafs.org=0A> Date: Wednesday, March 17, 2010, 3:37 PM=0A> =0A>=
 On 17 Mar 2010, at 20:24, ematlis@yahoo.com=0A> wrote:=0A> > I have notice=
d a significant delay (30 seconds or=0A> more) for a user logged in through=
 an AFS account to open=0A> the root account via the command "su".=A0 This =
delay does=0A> not happen for a local account.=A0 I'm not sure where to=0A>=
 start looking for this one. Any ideas?=0A> =0A> Are you using pam_afs_sess=
ion? We've just discovered that=0A> when that is enabled in the su stack, b=
ecoming root takes a=0A> very long time, whether or not you have set the mi=
nimum_uid=0A> or not. The simple solution is to not run pam_afs_session in=
=0A> the 'su' stack.=0A> =0A> More investigation is required into what's ac=
tually going=0A> wrong, but nobody here has had a chance to do so yet. Give=
n=0A> that just removing pam_afs_session from the su stack gives=0A> us the=
 behaviour we want, I'm not sure how much more=0A> investigation we'll end =
up doing.=0A> =0A> It might be worth speaking to Russ to see if anyone else=
 is=0A> seeing this problem, or he might chime in here.=0A> =0A> Cheers,=0A=
> =0A> Simon.=0A> =0A> =0A=0A=0A