# slow su/sudo, probably due to DNS issues [SOLVED]

## ggeeoo

It seems that every time I do a "su -", su does a dns lookup and if that lookup is slow then su takes a lot of time to respond. According to tcpdump, su is looking for the domain _kerberos.<hostname>. Is there a way to disable that? This is very annoying. One time my dns server went down and I couldn't login as root because of that.Last edited by ggeeoo on Mon Dec 13, 2010 1:08 pm; edited 1 time in total

----------

## phoenix juice

did you do the following:

 *Quote:*   

> Writing Down Network Information
> 
> You now need to inform Linux about your network. This is defined in /etc/hosts and helps in resolving host names to IP addresses for hosts that aren't resolved by your nameserver. You need to define your system. You may also want to define other systems on your network if you don't want to set up your own internal DNS system.
> 
> Code Listing 2.10: Opening /etc/hosts
> ...

 

----------

## ggeeoo

 *phoenix juice wrote:*   

> did you do the following:
> 
> [...]
> 
> 

 

Yes I did. Besides, I don't see why should su try to resolve hostnames completely unrelated to the hostname of the host machine.

----------

## madchaz

I'm stuck with the same issue. Anyone as any idea?

----------

## Veldrin

could you past the contents of /etc/pam.d/system-auth?

and the useflag settings for sys-auth/pambase and sys-libs/pam

From the description, it seems that it tries a kerberos auth first, which could be cause by a missconfiguration in pam or are wrong useflags.

----------

## madchaz

```
madchaz@sonofboo ~ $ cat /etc/pam.d/system-auth

auth            required        pam_env.so

auth            required        pam_unix.so try_first_pass likeauth nullok

auth            optional        pam_permit.so

account         required        pam_unix.so

account         optional        pam_permit.so

password        required        pam_cracklib.so difok=2 minlen=8 dcredit=2 ocredit=2 retry=3

password        required        pam_unix.so try_first_pass use_authtok nullok sha512 shadow

password        optional        pam_permit.so

session         required        pam_limits.so

session         required        pam_env.so

session         required        pam_unix.so

session         optional        pam_permit.so

```

 *Quote:*   

> USE="X gtk extras -qt3support -kde dbus png  gnome hal -alsa -ipv6 latin1 -perl"

 

----------

## Veldrin

system-auth looks normal.

waht i meant with useflags for pam and pambase was something along eix -e pam; eix -e pambase or emerge -pv pam pambase

you mentioned the same issue. similar in what way?

----------

## madchaz

Similar in what way: Same symphomes. I do su -, hit enter, enter my password, wait 10/20 seconds before I get bash prompt as root. 

However, if I remove my dns server from resolve.conf, I can still login as root. It just takes even longer. 

Sorry about providing the wrong output. 

```
sonofboo ~ # emerge -pv pam pambase

These are the packages that would be merged, in order:

Calculating dependencies... done!

[ebuild   R   ] sys-libs/pam-1.1.3  USE="berkdb cracklib nls -audit -debug (-selinux) -test -vim-syntax" 0 kB

[ebuild   R   ] sys-auth/pambase-20101024  USE="cracklib sha512 -consolekit -debug -gnome-keyring -kerberos -minimal -mktemp -passwdqc (-selinux) -ssh" 0 kB

Total: 2 packages (2 reinstalls), Size of downloads: 0 kB

```

Very likely un-related, but I've also been having authentication problems when trying to do X forwarding with SSH. See the following post: https://forums.gentoo.org/viewtopic-t-853989.html?sid=a8b2f9526383d0aedfca7f152475ad07

----------

## ggeeoo

In my case, the problem is caused by the kerberos USE flag in sys-auth/pambase. If I disable it then there is no problem. But if kerberos is enabled for sys-auth/pambase and /etc/resolv.conf contains an unresponsive nameserver then "su -" takes a lot of time to complete.

----------

## madchaz

no kerberos use flag here. Still stuck with the issue, however.

----------

## Ant P.

If you're not using pam specifically, I'd suggest just removing it.

----------

## madchaz

I'm not really interested in removing PAM, as a lot of the things I do on the machine depend on it. Used to work fine too

----------

## ggeeoo

According to the changelog for sys-auth/pambase

```

28 Nov 2010; Constanze Hausner <constanze@gentoo.org>

pambase-20090620.1-r1.ebuild, pambase-20100310.ebuild,

pambase-20100925.ebuild, pambase-20101024.ebuild, metadata.xml:

Renamed useflags ssh/kerberos to pam_ssh/pam_krb5 and changed kerberos dep

to >=sys-auth/pam_krb5-4.3

```

so that solves my problem (kerberos for pambase is now not enabled by the desktop profile).

----------

