I recently discovered the following issue. I try to exactly indicate the problem with the new installation of my system. So the problem gets involved when I select a profile threw authselect with the module “with-pam-u2f-2fa”. It’s not a difference if I load a custom local or sssd profile.
The problem I talking about is, that I tried to install a printer and the following issue: “Unable to connect to BRWF8DA0C348645.local:631: Temporary failure in name resolution”.
It’s not possible to solve the problem threw change back the profile to “local” or uninstall pam-u2f and pamu2fcfg.
Before I load the custom profil with the module of pam, the installation was without an issue.
So at the moment I use the printer threw USB, this works without any problem.
Do you know how to solve it? What do I the falsh way?
There is a hosts ... line in /etc/nsswitch.conf that might change depending on which authselect profile you are using. Different settings there might cause a problem with name resolution. Can you provide us with the contents of that line for the working versus the non-working authselect profiles so that we can compare them?
Edit:
Oh. That might make it much harder to solve the problem. Those .local DNS names require that Multicast DNS be enabled. Does resolvectl show that mdns is enabled?
Edit2:
Does authselect current show with-mdns4 and with-mdns6? If not, you probably need to enable them with sudo authselect enable-feature with-mdns4 and sudo authselect enable-feature with-mdns4. Beware that those commands might cause your session to log out when you run them, so be sure you have all your work saved before you try that.
files myhostname {if "with-libvirt":libvirt libvirt_guest }{if "with-mdns4" and "with-mdns6":mdns_minimal [NOTFOUND=return] }{if "with-mdns4" and not "with-mdns6":mdns4_minimal [NOTFOUND=return] }{if not "with-mdns4" and "with-mdns6":mdns6_minimal [NOTFOUND=return] }resolve [!UNAVAIL=return] dns
The local hosts line with PAM (with-pam-u2f-2fa) shows:
files myhostname resolve [!UNAVAIL=return] dns
The local hosts line in the version without PAM shows:
files myhostname mdns4_minimal [NOTFOUND=return] resolve [!UNAVAIL=return] dns
The group-line also has different entries between the local with and without PAM.
resolvectl shows:
Global
Protocols: LLMNR=resolve -mDNS -DNSOverTLS DNSSEC=no/unsupported
resolv.conf mode: stub
Link 2 (I think lan (enp....))
Current Scopes: none
Protocols: -DefaultRoute LLMNR=resolve -mDNS -DNSOverTLS DNSSEC=no/unsupported
Default Route: no
Link 3 (I think wifi (wlp...))
Current Scopes: DNS LLMNR/IPv4 LLMNR/IPv6
Protocols: +DefaultRoute LLMNR=resolve -mDNS -DNSOverTLS DNSSEC=no/unsupported
Current DNS Server: [] (I deleted the servernumber)
DNS Servers: [] (I deleted the servernumber - but same like above)
Default Route: yes
authselect current shows on my daily driver system with the same issue (but a custom profile of local not sssd) only the -with-pam-u2f-2fa module. But what are these features for? Which impact has it to my FIDO2-Key-Authentification?
The with-mdns4 and with-mdns6 are to enable Multicast DNS. I think that is what is needed in order for your printer to work since its DNS name ends in .local.
Enabling mdns should not affect your FIDO2-Key-Authentication.
I think you should be able to enable all of with-pam-u2f-2fa, with-mdns4, and with-mdns6 at the same time.
Thanks a lot for your help. No it works how it should
One last question:
What’s the difference between the custom profile of sssd and local? I do not host a server by myself, so I have to use the custom profile of local, or?
The sssd profile is more complex than the local profile. It adds support for network sign-ins (if your computer is joined to a domain and you need to be able to sign in with a computer account that is kept on a central server).
You can use either profile. The sssd profile also works with local accounts. It just adds unnecessary complexity if you are not using that part of the system.
