_files/genppageinit.gif){kind=small}
_files/ibm-comm-wordmark.png){kind=small}
_files/blank.gif){kind=spacer}
_files/iconWarning.gif "IC Sunset")
The
developerWorks Connections platform will be sunset on December 31,
2019. On January 1, 2020, this blog will no longer be available. More details available on our FAQ.
AIX logins slow to prompt for password - KRB5files OR compatI was working on a customer’s AIX system
recently and found that whenever I tried logging into the system, with
my username and password, there was a lengthy pause before I was
prompted for my password, followed by another lengthy pause, before I
was logged into a shell. My initial reaction was that I had seen this
before and written about it here: http But try as I might, I was not able to attribute this problem to my previous experience. I was almost certain that the problem was somehow related to a DNS or reverse IP lookup issue, but even that line of investigation to did not "bear any fruit" and my logins remained painfully slow!
In a desperate attempt to troubleshoot and resolve the problem, I decided to employ tcpdump and monitor DNS lookups (still thinking that this was most definitely a DNS problem. Spoiler alert: it wasn't!).
I ran tcpdump (as shown below), while I attempted to login to the AIX system. The output from tcpdump showed that my login attempt was triggering a DNS lookup of a server called ldapserver1 and kerberos was also displayed.
# tcpdump -i en1 dst port 53 ... 17:09:11.324299 IP aixlpar1.34845 > ldapserver1.com.au: 21163+ TXT? _kerberos.aixlpar1. (36)
This was NOT expected. As far I as I knew, my local account, at the AIX level, was not and should not be trying to authenticate with a LDAP or Kerberos server. So, I checked my local account details and found that the SYSTEM attribute was set to "KRB5files OR compat"! This was WRONG!
# lsuser -f cgibson | grep SYS auth1=SYSTEM SYSTEM=KRB5files OR compat
I quickly changed this attribute to SYSTEM=compat, and low and behold, my logins worked just fine now!
# chuser SYSTEM="compat" cgibson # lsuser -f cgibson | grep SYS auth1=SYSTEM SYSTEM=compat
Another troubleshooting step I performed earlier, that should have alerted me to the likely source of the problem was, I could login with other accounts, including root, without experiencing any delays. It was just my account that had trouble.
|
