[OpenAFS] significant delay for afs user to login as root via su

Achim Gsell achim.gsell@psi.ch
Thu, 18 Mar 2010 00:15:30 +0100 

On Mar 17, 2010, at 10:52 PM, ematlis@yahoo.com wrote:

> My version of Linux is Fedora 12 x86_64.  Here is my /etc/pam.d/su:
>=20
> #%PAM-1.0
> auth		sufficient	pam_rootok.so
> # Uncomment the following line to implicitly trust users in the =
"wheel" group.
> #auth		sufficient	pam_wheel.so trust use_uid
> # Uncomment the following line to require a user to be in the "wheel" =
group.
> #auth		required	pam_wheel.so use_uid
> auth		include		system-auth
> account		sufficient	pam_succeed_if.so uid =3D 0 =
use_uid quiet
> account		include		system-auth
> password	include		system-auth
> session		include		system-auth
> session		optional	pam_xauth.so
>=20
> Since pam_afs_session.so is not listed, I'd guess you are right, and =
that is not the source of the delay.
>=20
> If any other thoughts come to mind, let me know.
>=20
May be it's a problem with xauth and home directory on AFS. The PAM =
module pam_xauth runs something like=20

xauth -f /afs/psi.ch/user/g/gsell/.Xauthority nlist pc4506/unix:10.0

but at this moment you don't have write access to your home directory =
any more:

stat64("/afs/psi.ch/user/g/gsell/.Xauthority-c", 0xbfa96b80) =3D -1 =
ENOENT (No such file or directory)
open("/afs/psi.ch/user/g/gsell/.Xauthority-c", O_WRONLY|O_CREAT|O_EXCL, =
0600) =3D -1 EACCES (Permission denied)
rt_sigprocmask(SIG_BLOCK, [CHLD], [], 8) =3D 0
rt_sigaction(SIGCHLD, NULL, {SIG_DFL}, 8) =3D 0
rt_sigprocmask(SIG_SETMASK, [], NULL, 8) =3D 0
nanosleep({2, 0}, {2, 0})               =3D 0
open("/afs/psi.ch/user/g/gsell/.Xauthority-c", O_WRONLY|O_CREAT|O_EXCL, =
0600) =3D -1 EACCES (Permission denied)
rt_sigprocmask(SIG_BLOCK, [CHLD], [], 8) =3D 0
rt_sigaction(SIGCHLD, NULL, {SIG_DFL}, 8) =3D 0
rt_sigprocmask(SIG_SETMASK, [], NULL, 8) =3D 0
nanosleep({2, 0}, {2, 0})               =3D 0
open("/afs/psi.ch/user/g/gsell/.Xauthority-c", O_WRONLY|O_CREAT|O_EXCL, =
0600) =3D -1 EACCES (Permission denied)
rt_sigprocmask(SIG_BLOCK, [CHLD], [], 8) =3D 0
rt_sigaction(SIGCHLD, NULL, {SIG_DFL}, 8) =3D 0
rt_sigprocmask(SIG_SETMASK, [], NULL, 8) =3D 0
nanosleep({2, 0}, {2, 0})               =3D 0
open("/afs/psi.ch/user/g/gsell/.Xauthority-c", O_WRONLY|O_CREAT|O_EXCL, =
0600) =3D -1 EACCES (Permission denied)
rt_sigprocmask(SIG_BLOCK, [CHLD], [], 8) =3D 0
rt_sigaction(SIGCHLD, NULL, {SIG_DFL}, 8) =3D 0
rt_sigprocmask(SIG_SETMASK, [], NULL, 8) =3D 0
nanosleep({2, 0}, {2, 0})               =3D 0
open("/afs/psi.ch/user/g/gsell/.Xauthority-c", O_WRONLY|O_CREAT|O_EXCL, =
0600) =3D -1 EACCES (Permission denied)
rt_sigprocmask(SIG_BLOCK, [CHLD], [], 8) =3D 0
rt_sigaction(SIGCHLD, NULL, {SIG_DFL}, 8) =3D 0
rt_sigprocmask(SIG_SETMASK, [], NULL, 8) =3D 0
nanosleep({2, 0}, {2, 0})               =3D 0
open("/afs/psi.ch/user/g/gsell/.Xauthority-c", O_WRONLY|O_CREAT|O_EXCL, =
0600) =3D -1 EACCES (Permission denied)
rt_sigprocmask(SIG_BLOCK, [CHLD], [], 8) =3D 0
rt_sigaction(SIGCHLD, NULL, {SIG_DFL}, 8) =3D 0
rt_sigprocmask(SIG_SETMASK, [], NULL, 8) =3D 0
nanosleep({2, 0}, {2, 0})               =3D 0
open("/afs/psi.ch/user/g/gsell/.Xauthority-c", O_WRONLY|O_CREAT|O_EXCL, =
0600) =3D -1 EACCES (Permission denied)
rt_sigprocmask(SIG_BLOCK, [CHLD], [], 8) =3D 0
rt_sigaction(SIGCHLD, NULL, {SIG_DFL}, 8) =3D 0
rt_sigprocmask(SIG_SETMASK, [], NULL, 8) =3D 0
nanosleep({2, 0}, {2, 0})               =3D 0
open("/afs/psi.ch/user/g/gsell/.Xauthority-c", O_WRONLY|O_CREAT|O_EXCL, =
0600) =3D -1 EACCES (Permission denied)
rt_sigprocmask(SIG_BLOCK, [CHLD], [], 8) =3D 0
rt_sigaction(SIGCHLD, NULL, {SIG_DFL}, 8) =3D 0
rt_sigprocmask(SIG_SETMASK, [], NULL, 8) =3D 0
nanosleep({2, 0}, {2, 0})               =3D 0
open("/afs/psi.ch/user/g/gsell/.Xauthority-c", O_WRONLY|O_CREAT|O_EXCL, =
0600) =3D -1 EACCES (Permission denied)
rt_sigprocmask(SIG_BLOCK, [CHLD], [], 8) =3D 0
rt_sigaction(SIGCHLD, NULL, {SIG_DFL}, 8) =3D 0
rt_sigprocmask(SIG_SETMASK, [], NULL, 8) =3D 0
nanosleep({2, 0}, {2, 0})               =3D 0
open("/afs/psi.ch/user/g/gsell/.Xauthority-c", O_WRONLY|O_CREAT|O_EXCL, =
0600) =3D -1 EACCES (Permission denied)
rt_sigprocmask(SIG_BLOCK, [CHLD], [], 8) =3D 0
rt_sigaction(SIGCHLD, NULL, {SIG_DFL}, 8) =3D 0
rt_sigprocmask(SIG_SETMASK, [], NULL, 8) =3D 0
nanosleep({2, 0}, {2, 0})               =3D 0
write(2, "xauth:  timeout in locking autho"..., 79xauth:  timeout in =
locking authority file /afs/psi.ch/user/g/gsell/.Xauthority
) =3D 79
exit_group(1)                           =3D ?


So one call to xauth takes 20 seconds before timing out. The pam_xauth =
calls xauth more than once ...

Achim

> Thanks,
> eric
>=20
> --- On Wed, 3/17/10, Russ Allbery <rra@stanford.edu> wrote:
>=20
>> From: Russ Allbery <rra@stanford.edu>
>> Subject: Re: [OpenAFS] significant delay for afs user to login as =
root via su
>> To: ematlis@yahoo.com
>> Cc: "Simon Wilkinson" <sxw@inf.ed.ac.uk>, openafs-info@openafs.org
>> Date: Wednesday, March 17, 2010, 4:48 PM
>> ematlis@yahoo.com
>> writes:
>>=20
>>> Well, there's nothing in /var/log/messages
>> either.  As for checking the
>>> PAM configuration for su, can you elaborate?  I'm
>> a beginner at this, so
>>> you may have to provide details.
>>=20
>> I don't know what version of Linux you're using, but as a
>> general rule of
>> thumb, look in /etc/pam.d/su and make sure that it's
>> including your shared
>> PAM configuration that you're thinking you're using and you
>> don't have
>> some other reference to pam_afs_session in there that
>> doesn't have the
>> debug line.
>>=20
>> Failing that, well, all the evidence so far indicates that
>> pam_afs_session
>> isn't being run at all for su, and hence can't be the
>> source of your
>> problems.
>>=20
>> --=20
>> Russ Allbery (rra@stanford.edu)=20
>>            <http://www.eyrie.org/~eagle/>
>>=20
>=20
>=20
>=20
> _______________________________________________
> OpenAFS-info mailing list
> OpenAFS-info@openafs.org
> https://lists.openafs.org/mailman/listinfo/openafs-info