Moving a working Suse Linux CUPS PC to anewsubnet IP address
Paul McIlfatrick
paul.mcilfatrick at bt.com
Wed Aug 22 06:04:08 PDT 2007
> Paul McIlfatrick wrote:
> > > Paul McIlfatrick wrote:
> > >
> > > > There are 3 subnets one for each floor in our offices (10.230.197.x,
> > > > 10.230.198.x, 10.230.199.x) and our printhost works fine when on
> > > > 10.230.199.x subnet.
> > >
> > > What is the 'netmask' for each of the 3 address ranges??
> >
> > 255.255.255.0
>
> Gotcha. :-)
>
> Kurt's questions are pointing directly to the cause of the issue.
> Thanks (and for your additional and correct help too), Kurt.
>
> Cups daemon is working then as designed: it's only allowing from a
> specified network to do admin tasks. Remember, if you change the ip
> address of your ethernet card, then the @LOCAL macro is changing with
> that too.
>
> The former allowing subnet 10.230.199.x/255.255.255.0 (= @LOCAL) is
> changed by that move: the new subnet to 10.230.189.x/255.255.255.0 can
> now do the tasks. Which means noone is any longer allowed to do admin
> tasks from 10.230.199.x, but from 10.230.189.x
>
> You can fix this in too ways, and everytime /etc/cups/cupsd.conf needs
> to be modified:
> 1. Either create an explicit rule to allow admin tasks from
> 10.230.199.0/255.255.255.0 and modify the </admin> section
> appropriate:
> <Location /admin>
> [...]
> Allow 10.230.199.0/255.255.255.0
> </Location>
> <Location /admin/conf>
> [...]
> Allow 10.230.199.0/255.255.255.0
> </Location>
> 2. Or change your subnet mask to 255.255.0.0, and allow everyone (in
> changing so) doing admin tasks
>
> and a "/etc/init.d/cups restart" after changing modifying config file
> is necessary: to notify daemon about reread file and change
> appropriate. To point it out: a reboot is not neccessary to do so.
Tested your suggestion now as the CUPS PC cannot be moved to the 10.230.189.x subnet until early tomorrow morning.
Used a Windows server on our 10.230.189.x subnet (the CUPS PC is back on its original 10.230.199.x subnet) to access the http://printhost:631/ CUPS admin page and, as expected, got the '403 Forbidden' message.
Edited the /etc/cups/cupsd.conf file and added the following as you suggested:
...
<Location /admin>
AuthType BasicDigest
AuthClass Group
AuthGroupName sys
# Allow remote administration...
Order allow,deny
Allow @LOCAL
Allow 10.230.189.0/255.255.255.0
# Allow 10.230.199.0/255.255.255.0
</Location>
# Allow remote access to the configuration files...
<Location /admin/conf>
AuthType Basic
Require user @SYSTEM
Order allow,deny
Allow @LOCAL
Allow 10.230.189.0/255.255.255.0
# Allow 10.230.199.0/255.255.255.0
</Location>
...
Then issued the '/etc/init.d/cups restart' command.
Still able to access the http://printhost:631/ CUPS admin page from my PC which is on the same 10.230.199.x subnet as the CUPS PC.
However, the Windows server on the 10.230.189.x subnet still gets the '403 Forbidden' message despite the changes to the /etc/cups/cupsd.conf file!
Is there any problem with what I added?
Paul McIlfatrick
More information about the cups
mailing list