Yes, I am using pam_afs_session. You've lost me about not using it in the su stack. Can you elaborate? Here's my system-auth-ac if it helps...
auth required pam_env.so auth sufficient pam_fprintd.so auth sufficient pam_unix.so nullok try_first_pass auth [success=ok default=1] pam_krb5.so use_first_pass minimum_uid=100 auth [default=done] pam_afs_session.so program=/usr/bin/aklog auth requisite pam_succeed_if.so uid >= 500 quiet auth required pam_deny.so account required pam_unix.so account sufficient pam_localuser.so account sufficient pam_succeed_if.so uid < 500 quiet account [default=bad success=ok user_unknown=ignore] pam_krb5.so minimum_uid=100 account required pam_permit.so password requisite pam_cracklib.so try_first_pass retry=3 password sufficient pam_unix.so sha512 shadow nullok try_first_pass use_authtok password required pam_deny.so session optional pam_krb5.so session required pam_afs_session.so program=/usr/bin/aklog session optional pam_keyinit.so revoke session required pam_limits.so session [success=1 default=ignore] pam_succeed_if.so service in crond quiet use_uid session required pam_unix.so Thanks, eric --- On Wed, 3/17/10, Simon Wilkinson <s...@inf.ed.ac.uk> wrote: > From: Simon Wilkinson <s...@inf.ed.ac.uk> > Subject: Re: [OpenAFS] significant delay for afs user to login as root via su > To: emat...@yahoo.com > Cc: openafs-info@openafs.org > Date: Wednesday, March 17, 2010, 3:37 PM > > On 17 Mar 2010, at 20:24, emat...@yahoo.com > wrote: > > I have noticed a significant delay (30 seconds or > more) for a user logged in through an AFS account to open > the root account via the command "su". This delay does > not happen for a local account. I'm not sure where to > start looking for this one. Any ideas? > > Are you using pam_afs_session? We've just discovered that > when that is enabled in the su stack, becoming root takes a > very long time, whether or not you have set the minimum_uid > or not. The simple solution is to not run pam_afs_session in > the 'su' stack. > > More investigation is required into what's actually going > wrong, but nobody here has had a chance to do so yet. Given > that just removing pam_afs_session from the su stack gives > us the behaviour we want, I'm not sure how much more > investigation we'll end up doing. > > It might be worth speaking to Russ to see if anyone else is > seeing this problem, or he might chime in here. > > Cheers, > > Simon. > > _______________________________________________ OpenAFS-info mailing list OpenAFS-info@openafs.org https://lists.openafs.org/mailman/listinfo/openafs-info
