[OpenAFS] significant delay for afs user to login as root via su

ematlis@yahoo.com ematlis@yahoo.com
Thu, 18 Mar 2010 06:54:47 -0700 (PDT)

No, I do not.  And that's with or without the =0A=0Asession=09=09optional=
=09pam_xauth.so=0A=0Ain /etc/pam.d/su, and does not matter if I'm at the ma=
chine or logged in remotely.=0A=0Athanks,=0Aeric=0A=0A--- On Thu, 3/18/10, =
Ken Hornstein <kenh@cmf.nrl.navy.mil> wrote:=0A=0A> From: Ken Hornstein <ke=
nh@cmf.nrl.navy.mil>=0A> Subject: Re: [OpenAFS] significant delay for afs u=
ser to login as root via su=0A> To: ematlis@yahoo.com=0A> Cc: openafs-info@=
openafs.org=0A> Date: Thursday, March 18, 2010, 8:48 AM=0A> >Ok, one other =
data point- I=0A> should have mentioned in the very beginning that=0A> >I'm=
 actually logging into the machine in question=0A> remotely, then issuing=
=0A> >the su command.=A0 This seems to make a=0A> difference.=A0 While I TH=
OUGHT the=0A> >problem occurred either way, now I'm finding that if I=0A> a=
ctually sit down=0A> >at the machine, log in via AFS, then enter su, there =
is=0A> no delay (and no=0A> >xauth warning either) regardless of pam_xauth =
being in=0A> /etc/pam.d/su or not.=0A> >It's only when I ssh to the machine=
 remotely, then try=0A> su that I see a=0A> >delay if the pam_xauth line is=
 in /etc/pam.d/su.=0A> =0A> Okay, that's a bit more data.=0A> =0A> We ran i=
nto this problem as well.=A0 The root cause of=0A> the delay is that=0A> th=
e pam_xauth module is trying to copy you .Xauthority file=0A> into root's=
=0A> .Xauthority file ... and to do that it needs to create some=0A> files =
in your=0A> home directory as part of the .Xauthority locking, and it=0A> c=
an't do that=0A> (because as root it can't read/write your home directory)=
=0A> and it's=0A> timing out as part of that.=0A> =0A> Try something else.=
=A0 After you su, run "tokens".=A0=0A> Do you get anything=0A> listed?=0A> =
=0A> Given that it works fine when you log into the console,=0A> what I _th=
ink_=0A> is happening is that you're not getting a PAG when you log=0A> in =
remotely,=0A> so your UID-based AFS token is not going with you when you=0A=
> su to root.=0A> =0A> --Ken=0A> =0A=0A=0A