Ken, thanks for all your help (and the same to the others who have also responded). I'm grateful to be sure.
Since I'm a total newbie at this, I'll either have to look up and decipher what you've suggested (I don't even know what PAGs are!) or rely on somebody else to chip in with suggestions... Just googling pags, I see this post which seems to point to similar issues: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=264902 Anyway,thanks again, eric --- On Thu, 3/18/10, Ken Hornstein <k...@cmf.nrl.navy.mil> wrote: > From: Ken Hornstein <k...@cmf.nrl.navy.mil> > Subject: Re: [OpenAFS] significant delay for afs user to login as root via su > To: emat...@yahoo.com > Cc: openafs-info@openafs.org > Date: Thursday, March 18, 2010, 9:38 AM > >You are correct in your > assumptions. Regarding XAUTHORITY (with pam_xauth > >in su): > > > >logging in at the machine, this is what I find: > > > >before su: > > > >[emat...@aerogold ~]$ echo $XAUTHORITY > >/var/run/gdm/auth-for-ematlis-s3Q2Bx/database > > Ah-HA! > > Okay, that explains it. When you log in locally (I > assume) the > graphical login manager sets up a local .Xauthority file > and points the > environment variable to it. Since AFS isn't involved > in this case, > there are no timeouts from the Xauthority routines in > pam_xauth.so. > And if XAUTHORITY _isn't_ set, then it defaults to > $HOME/.Xauthority. > > So ... what's the solution? Well, if you just want to > get rid of the > delay, obviously commenting out pam_xauth is easiest. > But I guess you > want to log in remotely, su, _and_ run X > applications. I personally > find this strange, but, hey, whatever. If you want to > do that without > having to manually paste in Xauthority information into the > correct > file, I guess I see three options. > > - Get PAGs working (I think this would solve your issue). > - Assuming you're using ssh (I am guessing that you are), > convince sshd > to write your Xauthority information somewhere else, > like a file > in /tmp (and make sure your XAUTHORITY environment > variable is correct). > I would guess this is possible, but I don't know if > there's an easy > way to do it. > - Switch to using xhost authentication and simply point > your DISPLAY > variable to the "real" X server (which I fully admit > would suck from > a security standpoint. > > --Ken > _______________________________________________ > OpenAFS-info mailing list > OpenAFS-info@openafs.org > https://lists.openafs.org/mailman/listinfo/openafs-info > _______________________________________________ OpenAFS-info mailing list OpenAFS-info@openafs.org https://lists.openafs.org/mailman/listinfo/openafs-info
