Have you seen my update on this issue ? Ie the release is close. I don't know how to diagnose this issue further (ie why LAN domain is not resolved at all by pam_access). And I don't think I will be able to devote enough time to learn how to diagnose that until the release. Obviously it only affects users using pam_access but still it seems it will lock them out of their boxes. It could well be an upstream issue. It could also be debops setups are the only left using pam_access. Or that pam 1.7 is not yet widespread.
Though the issue should probably be moved to the upstream bug tracker. Best Regards Alban On Thu, 17 Apr 2025 20:36:34 +0200 Alban Browaeys <pra...@yahoo.com> wrote: > > On Mon, 14 Apr 2025 10:42:31 -0600 Sam Hartman <hartm...@debian.org> > > wrote: > > "Alban" == Alban Browaeys <pra...@yahoo.com> writes: > > > > > > Alban> Is this change in domain resolution a regression or a fix > > ? > > > > I think both behaviors are reasonable and so I do not propose to > > diverge > > from upstream in this regard. > > > > I agree. This is a matter of policy and not a bug per se. > > > > But I think this deserves an entry in the NEWS file and maybe in the > > release notes as one can end up being unable to login via ssh without > > a > > change to his pam configuration after the upgrade from 15.3 to 1.7.0. > > Not everyone reads the release notes but at least that could help > > them > > sort out their setup once broken. > > > > So I will bug report debops (this rules comes from this ansible > > collections project) to add the '.local' avahi domain to the pam > > allowed domains. > > > > Can I close this bug report now, or should I wait for the NEWS entry > > to > > The issue might be more serious than I initially though. > Due to an issue with a particular option of avahi it ended up > not starting anymore. > And then pam_access failed on me again due to being unable to resolve > at all (before it was failing back to mdns .local). It was not > complaining about a .local name anymore but about plain IP. At time > IPv4 at other time link-local IPv6. > I ended up adding both my local LAN IPv4 network IPs and IPv6 link- > local fe80::0/64 to my access.conf but the fact the issue is not about > resolving to .local instead of the dhcp/DNS LAN domain. But not being > able to resolve to the DNS LAN domain name at all. > > Though I won't be able to work on this issue seriously for at least 10 > days, I preferred to raise the issue. I will be able to do tests at > time, but I don't expect much more. > > Cheers, > Alban > >
