[OpenAFS] significant delay for afs user to login as root via su

ematlis@yahoo.com ematlis@yahoo.com
Thu, 18 Mar 2010 07:53:56 -0700 (PDT)

Ken, thanks for all your help (and the same to the others who have also res=
ponded).  I'm grateful to be sure.=0A=0ASince I'm a total newbie at this, I=
'll either have to look up and decipher what you've suggested (I don't even=
 know what PAGs are!) or rely on somebody else to chip in with suggestions.=
..=0A=0AJust googling pags, I see this post which seems to point to similar=
=0A=0AAnyway,thanks again,=0Aeric=0A=0A--- On Thu, 3/18/10, Ken Hornstein <=
kenh@cmf.nrl.navy.mil> wrote:=0A=0A> From: Ken Hornstein <kenh@cmf.nrl.navy=
.mil>=0A> Subject: Re: [OpenAFS] significant delay for afs user to login as=
 root via su=0A> To: ematlis@yahoo.com=0A> Cc: openafs-info@openafs.org=0A>=
 Date: Thursday, March 18, 2010, 9:38 AM=0A> >You are correct in your=0A> a=
ssumptions.=A0 Regarding XAUTHORITY (with pam_xauth=0A> >in su):=0A> >=0A> =
>logging in at the machine, this is what I find:=0A> >=0A> >before su:=0A> =
>=0A> >[ematlis@aerogold ~]$ echo $XAUTHORITY=0A> >/var/run/gdm/auth-for-em=
atlis-s3Q2Bx/database=0A> =0A> Ah-HA!=0A> =0A> Okay, that explains it.=A0 W=
hen you log in locally (I=0A> assume) the=0A> graphical login manager sets =
up a local .Xauthority file=0A> and points the=0A> environment variable to =
it.=A0 Since AFS isn't involved=0A> in this case,=0A> there are no timeouts=
 from the Xauthority routines in=0A> pam_xauth.so.=0A> And if XAUTHORITY _i=
sn't_ set, then it defaults to=0A> $HOME/.Xauthority.=0A> =0A> So ... what'=
s the solution?=A0 Well, if you just want to=0A> get rid of the=0A> delay, =
obviously commenting out pam_xauth is easiest.=A0=0A> But I guess you=0A> w=
ant to log in remotely, su, _and_ run X=0A> applications.=A0 I personally=
=0A> find this strange, but, hey, whatever.=A0 If you want to=0A> do that w=
ithout=0A> having to manually paste in Xauthority information into the=0A> =
correct=0A> file, I guess I see three options.=0A> =0A> - Get PAGs working =
(I think this would solve your issue).=0A> - Assuming you're using ssh (I a=
m guessing that you are),=0A> convince sshd=0A> =A0 to write your Xauthorit=
y information somewhere else,=0A> like a file=0A> =A0 in /tmp (and make sur=
e your XAUTHORITY environment=0A> variable is correct).=0A> =A0 I would gue=
ss this is possible, but I don't know if=0A> there's an easy=0A> =A0 way to=
 do it.=0A> - Switch to using xhost authentication and simply point=0A> you=
r DISPLAY=0A> =A0 variable to the "real" X server (which I fully admit=0A> =
would suck from=0A> =A0 a security standpoint.=0A> =0A> --Ken=0A> _________=
______________________________________=0A> OpenAFS-info mailing list=0A> Op=
enAFS-info@openafs.org=0A> https://lists.openafs.org/mailman/listinfo/opena=
fs-info=0A> =0A=0A=0A