Moving a working Suse Linux CUPS PC to a newsubnet IP address

Paul McIlfatrick paul.mcilfatrick at bt.com
Wed Aug 22 04:08:44 PDT 2007


> > ServerName printhost.xxxx.yyyy.zzzz
> > ServerAdmin services at xxxx.yyyy.zzzz
> > # Show troubleshooting information in error_log.
> > LogLevel debug
> > Printcap /etc/cups/printcap
> > User lp
> > Group lp
> > RunAsUser Yes
>
> RunAsUser is no longer supported in CUPS 1.2.x (unless you are using a
> $Debian or $Ubuntu distro, which are patching CUPS to change that back,
> somehow .... but look at their bug trackers to see which new problems
> that creates for them....)

This Suse Linux CUPS PC was built by a colleague, who has now left the company, in August 2006. He may have copied a previous cupsd.conf file from our previous CUPS installation on a Solaris machine when building this replacement CUPS machine.


> > # Allow remote access
> > Port 631
> > # Show shared printers on the local network.
> > Browsing On
> > BrowseOrder allow,deny
> > BrowseAllow @LOCAL
> > <Location />
> >   # Allow remote administration...
> >   Order allow,deny
> >   Allow @LOCAL
> > </Location>
> > <Location /admin>
> >   AuthType BasicDigest
> >   AuthClass Group
> >   AuthGroupName sys
> >   # Allow remote administration...
> >   Order allow,deny
> >   Allow @LOCAL
> > </Location>
> > # Allow remote access to the configuration files...
> > <Location /admin/conf>
> >   AuthType Basic
>
> Why do you use 2 different AuthTypes for '/admin' and for '/admin/conf'
> locations? Any specific reason?

As said above, this PC was built by a colleague who has now left the company.

> You are aware that 'BasicDigest' uses a separate 'lppasswd.md5' user
> database? And that this must first be populated using the "lppasswd"
> command?
>
> 'Basic' uses the system's standard /etc/{passwd,shadow} (or PAM-con-
> trolled) user data bases...

One username and password was set up for the admin when the Suse Linux PC was built in August 2006 and my team use it to login and administer the CUPS printers.


> > When printhost is moved to an IP address in this new subnet range, e.g.
> > 10.230.189.192, then:
> >
> > 1) all users on all the 10.230.197.x, 10.230.198.x, 10.230.199.x subnets
> > can print OK.
>
> Sorry, I overlooked and misunderstood this part of your message when I
> wrote my first reply. I was under the impression, your users could *not*
> print either, after your server moved.
>
> > 2) my team can no longer access the http://printhost:631/ CUPS admin
> > page from our PCs which are on the 10.230.199.x subnet and we get the
> > '403 Forbidden' message.
>
> Hmm... that indeed is strange. Unless I'm temporarily blinded and over-
> looked some obvious thing, your quoted part of cupsd.conf does not show
> any setting that should disallow admin page access after moving to the
> new subnet, while still allowing users to print from their current sub-
> nets....
>
> > Hope this extra information is helpful and will identify what needs to
> > be changed to get this problem resolved.
>
> So... what are the other (non-comment) settings in your cupsd.conf?

The complete cupsd.conf file:

ServerName printhost.xxxx.yyyy.zzzz
ServerAdmin services at xxxx.yyyy.zzzz
# Show troubleshooting information in error_log.
LogLevel debug
Printcap /etc/cups/printcap
User lp
Group lp
RunAsUser Yes
# Allow remote access
Port 631
# Show shared printers on the local network.
Browsing On
BrowseOrder allow,deny
BrowseAllow @LOCAL
<Location />
  # Allow remote administration...
  Order allow,deny
  Allow @LOCAL
</Location>
<Location /admin>
  AuthType BasicDigest
  AuthClass Group
  AuthGroupName sys
  # Allow remote administration...
  Order allow,deny
  Allow @LOCAL
</Location>
# Allow remote access to the configuration files...
<Location /admin/conf>
  AuthType Basic
  Require user @SYSTEM
  Order allow,deny
  Allow @LOCAL
</Location>
<Policy default>
  # Job-related operations must be done by the owner or an adminstrator...
  <Limit Send-Document Send-URI Hold-Job Release-Job Restart-Job Purge-Jobs Set-Job-Attributes Create-Job-Subscription Renew-Subscri
ption Cancel-Subscription Get-Notifications Reprocess-Job Cancel-Current-Job Suspend-Current-Job Resume-Job CUPS-Move-Job>
    Require user @OWNER @SYSTEM
    Order deny,allow
  </Limit>
  # All administration operations require an adminstrator to authenticate...
  <Limit Pause-Printer Resume-Printer Set-Printer-Attributes Enable-Printer Disable-Printer Pause-Printer-After-Current-Job Hold-New
-Jobs Release-Held-New-Jobs Deactivate-Printer Activate-Printer Restart-Printer Shutdown-Printer Startup-Printer Promote-Job Schedul
e-Job-After CUPS-Add-Printer CUPS-Delete-Printer CUPS-Add-Class CUPS-Delete-Class CUPS-Accept-Jobs CUPS-Reject-Jobs CUPS-Set-Default
 CUPS-Add-Device CUPS-Delete-Device>
    AuthType Basic
    Require user @SYSTEM
    Order deny,allow
</Limit>
  <Limit All>
  Order deny,allow
  </Limit>
</Policy>


> Your config is relying on the "@LOCAL" shortcut/macro. In case this one
> does not work as expected, you may want to try and replace it with multi-
> ple lines like
>
>   Allow From 10.230.197.*
>   Allow From 10.230.198.*
>   Allow From 10.230.199.*
>
> and restart cupsd.

I will have to move the CUPS PC to its new subnet to test this but it will not now be possible until tomorrow morning (I am in the UK).


Paul McIlfatrick




More information about the cups mailing list