[OpenAFS] significant delay for afs user to login as root via su

ematlis@yahoo.com ematlis@yahoo.com
Wed, 17 Mar 2010 14:13:24 -0700 (PDT)

I added debug to the end of this line in /etc/pam.d/system-auth-ac:=0A=0Aau=
th      [default=3Ddone]  pam_afs_session.so program=3D/usr/bin/aklog debug=
=0A=0AHowever, /var/log/secure does not show any more information that norm=
al.  Do I need to restart some service to "activate" this change?=0A=0AAlso=
, when the su command finally completes, I noticed this:=0A=0A[ematlis@aero=
gold ~]$ su=0APassword: =0AX11 connection rejected because of wrong authent=
ication.=0Axhost:  unable to open display "localhost:10.0"=0A=0AThe xhost t=
hing is happening because I am automatically executing =0Axhost +si:localus=
er:lp=0Ain a file in /etc/profile.d=0A=0AJust mentioning it in case this sh=
eds light...=0A=0Athanks,=0Aeric=0A=0A--- On Wed, 3/17/10, Russ Allbery <rr=
a@stanford.edu> wrote:=0A=0A> From: Russ Allbery <rra@stanford.edu>=0A> Sub=
ject: Re: [OpenAFS] significant delay for afs user to login as root via su=
=0A> To: "Simon Wilkinson" <sxw@inf.ed.ac.uk>=0A> Cc: ematlis@yahoo.com, op=
enafs-info@openafs.org=0A> Date: Wednesday, March 17, 2010, 3:54 PM=0A> Sim=
on Wilkinson <sxw@inf.ed.ac.uk>=0A> writes:=0A> > On 17 Mar 2010, at 20:24,=
 ematlis@yahoo.com=0A> wrote:=0A> =0A> >> I have noticed a significant dela=
y (30 seconds or=0A> more) for a user=0A> >> logged in through an AFS accou=
nt to open the root=0A> account via the=0A> >> command "su".=A0 This delay =
does not happen for=0A> a local account.=A0 I'm not=0A> >> sure where to st=
art looking for this one. Any=0A> ideas?=0A> =0A> > Are you using pam_afs_s=
ession? We've just discovered=0A> that when that is=0A> > enabled in the su=
 stack, becoming root takes a very=0A> long time, whether=0A> > or not you =
have set the minimum_uid or not. The simple=0A> solution is to=0A> > not ru=
n pam_afs_session in the 'su' stack.=0A> =0A> > More investigation is requi=
red into what's actually=0A> going wrong, but=0A> > nobody here has had a c=
hance to do so yet. Given that=0A> just removing=0A> > pam_afs_session from=
 the su stack gives us the=0A> behaviour we want, I'm=0A> > not sure how mu=
ch more investigation we'll end up=0A> doing.=0A> =0A> > It might be worth =
speaking to Russ to see if anyone=0A> else is seeing this=0A> > problem, or=
 he might chime in here.=0A> =0A> I run su all the time on systems that do =
not use a distinct=0A> PAM stack for=0A> su and have pam-afs-session config=
ured, and I've never seen=0A> this.=A0 (And I=0A> know pam-afs-session is r=
unning, since I get a new PAG=0A> after I su.)=0A> =0A> Could you add "debu=
g" to the end of the pam_afs_session PAM=0A> configuration=0A> line and the=
n show me the resulting syslog messages after=0A> an su?=0A> =0A> -- =0A> R=
uss Allbery (rra@stanford.edu)=A0=0A> =A0 =A0 =A0 =A0 =A0=A0=A0<http://www.=
eyrie.org/~eagle/>=0A> =0A=0A=0A