Moving a working Suse Linux CUPS PC to a newsubnet IP address

Kurt Pfeifle k1pfeifle at gmx.net
Wed Aug 22 03:12:16 PDT 2007 

Paul McIlfatrick wrote:
>> Paul McIlfatrick wrote:
>>> A few days ago I posted to this newsgroup about not being able to
>>> access the http://printhost:631/ CUPS admin pages after we had moved
>>> our fully working Suse Linux PC to a new subnet IP address. Printing
>>> worked fine after the move.
>>>
>>> Today, I moved the PC back to its old IP address. We are again able
>>> to access the http://printhost:631/ CUPS admin pages and printing
>>> works!
>>>
>>>
>>> Our Suse Linux CUPS PC must be moved to the new subnet.
>> In general this should be no problem.
>>
>>> Does anyone know what needs to be modified so that after the change
>>> of IP address for a CUPS PC the http://printhost:631/ CUPS admin
>>> pages are accessible?
>> Assuming that "printhost" is the valid name of the new network
>> location. I think, it's unneccersary to say, that using the old
>> network name (of old ip adress) is an useless attempt. :-)
> 
> We modify the DNS entry of printhost in our master DNS server when we are 
> moving the Suse PC to its new IP address, so printhost is correct.
> 
> 
>> I see two issues at the moment:
>> a) your network address (= ip address) changes after (!) start of cups
>>    daemon.
>>    Solution:
>>    - don't do that. :) Either configure correct adress into your
>>      system, e.g. edit /etc/hosts
> 
> The following three files are modified when moving a Suse Linux PC to a 
> new IP address:
> 
> /etc/hosts
> /etc/sysconfig/network/routes
> /etc/sysconfig/network/ifcfg-eth-id-<MAC address>
> 
> The PC is then rebooted and the new subnet LAN cable attached during 
> the reboot.
> 
>>    - or re-start cups after new network configuration, do as root
>>      on a command line shell: /etc/init.d/cups restart
>> b) your cups configuration (file: /etc/cups/cupsd.conf) contains
>>    values of old subnet. Change the file appropriate.
> 
> No mention is made of any subnet in the /etc/cups/cupsd.conf file.
> 
> 
> Here is part of the /etc/cups/cupsd.conf file:

Which part is missing? (If it's only comments, that's OK. If it is some-
thing like "DefaultAuthType", it would be important.... Also, your Policy
definitions could be interfering with your other settings....)

> ServerName printhost.xxxx.yyyy.zzzz
> ServerAdmin services at xxxx.yyyy.zzzz
> # Show troubleshooting information in error_log.
> LogLevel debug
> Printcap /etc/cups/printcap
> User lp
> Group lp
> RunAsUser Yes

RunAsUser is no longer supported in CUPS 1.2.x (unless you are using a
$Debian or $Ubuntu distro, which are patching CUPS to change that back,
somehow .... but look at their bug trackers to see which new problems
that creates for them....)

> # Allow remote access
> Port 631
> # Show shared printers on the local network.
> Browsing On
> BrowseOrder allow,deny
> BrowseAllow @LOCAL
> <Location />
>   # Allow remote administration...
>   Order allow,deny
>   Allow @LOCAL
> </Location>
> <Location /admin>
>   AuthType BasicDigest
>   AuthClass Group
>   AuthGroupName sys
>   # Allow remote administration...
>   Order allow,deny
>   Allow @LOCAL
> </Location>
> # Allow remote access to the configuration files...
> <Location /admin/conf>
>   AuthType Basic

Why do you use 2 different AuthTypes for '/admin' and for '/admin/conf'
locations? Any specific reason?

You are aware that 'BasicDigest' uses a separate 'lppasswd.md5' user
database? And that this must first be populated using the "lppasswd"
command?

'Basic' uses the system's standard /etc/{passwd,shadow} (or PAM-con-
trolled) user data bases...

>   Require user @SYSTEM
>   Order allow,deny
>   Allow @LOCAL
> </Location>
> <Policy default>
> 
> <snip>
> 
> 
> There are 3 subnets one for each floor in our offices (10.230.197.x, 
> 10.230.198.x, 10.230.199.x) and our printhost works fine when on 
> 10.230.199.x subnet.
> 
> Printing works fine for all users on all the subnets and my team can 
> access the http://printhost:631/ CUPS admin pages from their PCs which 
> are also on the same 10.230.199.x subnet.
> 
> 
> Because of a policy decision all our servers must be moved to a new 
> subnet away from the users. This new subnet is 10.230.189.x.
> 
> When printhost is moved to an IP address in this new subnet range, e.g. 
> 10.230.189.192, then:
> 
> 1) all users on all the 10.230.197.x, 10.230.198.x, 10.230.199.x subnets 
> can print OK.

Sorry, I overlooked and misunderstood this part of your message when I
wrote my first reply. I was under the impression, your users could *not*
print either, after your server moved.

> 2) my team can no longer access the http://printhost:631/ CUPS admin 
> page from our PCs which are on the 10.230.199.x subnet and we get the 
> '403 Forbidden' message.

Hmm... that indeed is strange. Unless I'm temporarily blinded and over-
looked some obvious thing, your quoted part of cupsd.conf does not show
any setting that should disallow admin page access after moving to the
new subnet, while still allowing users to print from their current sub-
nets....

> Hope this extra information is helpful and will identify what needs to 
> be changed to get this problem resolved.

So... what are the other (non-comment) settings in your cupsd.conf?

> Paul McIlfatrick

Another shot into the dark:

Your config is relying on the "@LOCAL" shortcut/macro. In case this one
does not work as expected, you may want to try and replace it with multi-
ple lines like

  Allow From 10.230.197.*
  Allow From 10.230.198.*
  Allow From 10.230.199.*

and restart cupsd.

-- 
Kurt Pfeifle
System & Network Printing Consultant ---- Linux/Unix/Windows/Samba/CUPS
Infotec Deutschland GmbH  .....................  Hedelfinger Strasse 58
A RICOH Company  ...........................  D-70327 Stuttgart/Germany

More information about the cups mailing list