I was working on a customers AIX system recently and found that whenever I tried logging into the system, with my username and password, there was a lengthy pause before I was prompted for my password, followed by another lengthy pause, before I was logged into a shell. My initial reaction was that I had seen this before and written about it here: https://www.ibm.com/developerworks/community/blogs/cgaix/entry/ssh_delay_with_security_pkcs11_installed?lang=en

But try as I might, I was not able to attribute this problem to my previous experience. I was almost certain that the problem was somehow related to a DNS or reverse IP lookup issue, but even that line of investigation to did not "bear any fruit" and my logins remained painfully slow!

In a desperate attempt to troubleshoot and resolve the problem, I decided to employ tcpdump and monitor DNS lookups (still thinking that this was most definitely a DNS problem. Spoiler alert: it wasn't!).

I ran tcpdump (as shown below), while I attempted to login to the AIX system. The output from tcpdump showed that my login attempt was triggering a DNS lookup of a server called ldapserver1 and kerberos was also displayed.

# tcpdump -i en1 dst port 53

...

17:09:11.324299 IP aixlpar1.34845 > ldapserver1.com.au: 21163+ TXT? _kerberos.aixlpar1. (36)

This was NOT expected. As far I as I knew, my local account, at the AIX level, was not and should not be trying to authenticate with a LDAP or Kerberos server. So, I checked my local account details and found that the SYSTEM attribute was set to "KRB5files OR compat"! This was WRONG!

# lsuser -f cgibson | grep SYS

auth1=SYSTEM

SYSTEM=KRB5files OR compat

I quickly changed this attribute to SYSTEM=compat, and low and behold, my logins worked just fine now!

# chuser SYSTEM="compat" cgibson

# lsuser -f cgibson | grep SYS

auth1=SYSTEM

SYSTEM=compat

Another troubleshooting step I performed earlier, that should have alerted me to the likely source of the problem was, I could login with other accounts, including root, without experiencing any delays. It was just my account that had trouble.