[cups] Strange problem with CUPS on a Linux (CentOS 5.10) LAN

Robert Heller heller at deepsoft.com
Thu Dec 19 04:43:18 PST 2013


We have a LAN with a CentOS 5.10 server and a number of diskless workstations 
(also running CentOS 5.10 with NFS mounted filesystems).  *One* of these 
machines intermittently fails to see the printers served by the server.  

We are running the stock RHEL/CentOS 5 cups package: cups-1.3.7-30.el5_9.3.

I have tried everything I can think of.  I even changed the IP address of the 
problem machine, which 'fixed' it temporarily, but it is broken again.  

The only other difference is in the error_log files.  The working system 
contains this:

D [18/Dec/2013:15:44:18 -0500] Report: clients=0
D [18/Dec/2013:15:44:18 -0500] Report: jobs=0
D [18/Dec/2013:15:44:18 -0500] Report: jobs-active=0
D [18/Dec/2013:15:44:18 -0500] Report: printers=5
D [18/Dec/2013:15:44:18 -0500] Report: printers-implicit=1
D [18/Dec/2013:15:44:18 -0500] Report: stringpool-string-count=842
D [18/Dec/2013:15:44:18 -0500] Report: stringpool-alloc-bytes=6888
D [18/Dec/2013:15:44:18 -0500] Report: stringpool-total-bytes=19376
D [18/Dec/2013:15:44:19 -0500] cupsdNetIFUpdate: "lo" = localhost...
D [18/Dec/2013:15:44:19 -0500] cupsdNetIFUpdate: "eth0" = clearwater.wendellfreelibrary.org...
D [18/Dec/2013:15:44:19 -0500] cupsdNetIFUpdate: "eth0:1" = 10.163.1.10...
D [18/Dec/2013:15:44:19 -0500] cupsdNetIFUpdate: "lo" = localhost...
D [18/Dec/2013:15:44:19 -0500] cupsdNetIFUpdate: "eth0" = fe80::240:caff:fe8b:7846%eth0...

and the non-working machine contains this instead:

D [18/Dec/2013:14:47:50 -0500] cupsdReadClient: 9 POST / HTTP/1.1
D [18/Dec/2013:14:47:50 -0500] cupsdAuthorize: No authentication data provided.
D [18/Dec/2013:14:47:50 -0500] CUPS-Get-Printers
D [18/Dec/2013:14:47:50 -0500] CUPS-Get-Printers client-error-not-found: No destinations added.
D [18/Dec/2013:14:47:50 -0500] cupsdProcessIPPRequest: 9 status_code=406 (client-error-not-found)
D [18/Dec/2013:14:47:50 -0500] cupsdReadClient: 9 POST / HTTP/1.1
D [18/Dec/2013:14:47:50 -0500] cupsdAuthorize: No authentication data provided.
D [18/Dec/2013:14:47:50 -0500] Get-Jobs ipp://localhost/
D [18/Dec/2013:14:47:50 -0500] cupsdProcessIPPRequest: 9 status_code=0 (successful-ok)
D [18/Dec/2013:14:47:50 -0500] cupsdCloseClient: 9

What is going wrong? Why should two *identical* machines behave differently?
They are in fact the same make and model of machine! -- the only difference is
a different MAC address and a different IP address! They are running exactly
the same software, on the same hardware, with the same configuration files!

This *used* to work and only started happening since the update to CentOS 
5.10, so I'm *guessing* it is one of these patches that is causing problems:

* Mon Feb 25 2013 Tim Waugh <twaugh at redhat.com> 1:1.3.7-30:.3
- Fix for CVE-2012-5519 patch: handle blacklisted lines that have no
  value part gracefully.
  
* Fri Feb 15 2013 Tim Waugh <twaugh at redhat.com> 1:1.3.7-30:.2
- Added documentation for new CVE-2012-5519 option.

* Thu Feb 07 2013 Tim Waugh <twaugh at redhat.com> 1:1.3.7-30:.1
- Applied patch to fix CVE-2012-5519 (privilege escalation for users
  in SystemGroup or with equivalent polkit permission).  This prevents
  HTTP PUT requests with paths under /admin/conf/ other than that for
  cupsd.conf, and also prevents such requests altering certain
  configuration directives such as PageLog and FileDevice (bug #875898).
        


This is /etc/cups/cupsd.conf file on the server:

LogLevel debug2
SystemGroup sys root admin
# Allow remote access
Port 631
Listen /var/run/cups/cups.sock
# Enable printer sharing and shared printers.
Browsing On
BrowseOrder allow,deny
# (Change '@LOCAL' to 'ALL' if using directed broadcasts from another subnet.)
BrowseAllow @LOCAL
BrowseAddress @LOCAL
DefaultAuthType Basic
<Location />
  # Allow shared printing and remote administration...
  Order allow,deny
  Allow all
</Location>
<Location /admin>
  Allow from localhost
  Allow from 192.168.1.28
  Allow from 192.168.1.29
  Allow from 192.168.1.5
  # Allow remote administration...
  Order allow,deny
  Allow all
</Location>
<Location /admin/conf>
  AuthType Basic
  Require user @SYSTEM
  Allow localhost
  # Allow remote access to the configuration files...
  Order allow,deny
  Allow all
</Location>
<Policy default>
  <Limit Send-Document Send-URI Hold-Job Release-Job Restart-Job Purge-Jobs Set-Job-Attributes Create-Job-Subscription Renew-Subscription Cancel-Subscription Get-Notifications Reprocess-Job Cancel-Current-Job Suspend-Current-Job Resume-Job CUPS-Move-Job>
    Require user @OWNER @SYSTEM
    Order deny,allow
  </Limit>
  <Limit Pause-Printer Resume-Printer Set-Printer-Attributes Enable-Printer Disable-Printer Pause-Printer-After-Current-Job Hold-New-Jobs Release-Held-New-Jobs Deactivate-Printer Activate-Printer Restart-Printer Shutdown-Printer Startup-Printer Promote-Job Schedule-Job-After CUPS-Add-Printer CUPS-Delete-Printer CUPS-Add-Class CUPS-Delete-Class CUPS-Accept-Jobs CUPS-Reject-Jobs CUPS-Set-Default>
    AuthType Basic
    Require user @SYSTEM
    Order deny,allow
  </Limit>
  <Limit CUPS-Authenticate-Job>
    Require user @OWNER @SYSTEM
    Order deny,allow
  </Limit>
  <Limit All>
    Order deny,allow
  </Limit>
</Policy>

And /etc/cups/printers.conf on the server:

# Printer configuration file for CUPS v1.3.7
# Written by cupsd on 2012-07-24 16:47
<DefaultPrinter BlackandWhiteLaserjet>
Info This is the black and white laser jet
Location printer table
DeviceURI socket://192.168.1.246:9100
State Idle
StateTime 1340134037
Accepting Yes
Shared Yes
JobSheets none none
QuotaPeriod 0
PageLimit 0
KLimit 0
OpPolicy default
ErrorPolicy retry-job
</Printer>
<Printer Officejet_Color>
Info Officejet_Color
Location Printer Area
DeviceURI socket://192.168.1.253
State Idle
StateTime 1343162613
Accepting Yes
Shared Yes
JobSheets none none
QuotaPeriod 0
PageLimit 0
KLimit 0
OpPolicy default
ErrorPolicy retry-job
</Printer>

And /etc/cups/cupsd.conf on the client workstations (all are the same -- it is 
on a nfs mounted root file system):

#
# "$Id: cupsd.conf.in 7199 2008-01-08 00:16:30Z mike $"
#
#   Sample configuration file for the Common UNIX Printing System (CUPS)
#   scheduler.  See "man cupsd.conf" for a complete description of this
#   file.
#
MaxLogSize 2000000000

# Log general information in error_log - change "info" to "debug" for
# troubleshooting...
LogLevel debug

# Administrator user group...
SystemGroup sys root


# Allow remote access
Port 631
Listen /var/run/cups/cups.sock
# Only listen for connections from the local machine.
#Listen localhost:631
#Listen /var/run/cups/cups.sock

# Show shared printers on the local network.
Browsing On
BrowseOrder allow,deny
# (Change '@LOCAL' to 'ALL' if using directed broadcasts from another subnet.)
BrowseAllow @LOCAL
BrowseAllow 192.168.1.28
BrowseAllow 192.168.1.29
BrowseAllow 192.168.1.5
BrowseAllow 192.168.1.254
BrowseAllow 10.163.1
BrowseAddress @LOCAL
 
# Default authentication type, when authentication is required...
DefaultAuthType Basic

# Restrict access to the server...
<Location />
  Order allow,deny
  Allow all
</Location>

# Restrict access to the admin pages...
<Location /admin>
  Order allow,deny
  Allow localhost
</Location>

# Restrict access to configuration files...
<Location /admin/conf>
  AuthType Default
  Require user @SYSTEM
  Order allow,deny
</Location>

# Set the default printer/job policies...
<Policy default>
  # Job-related operations must be done by the owner or an administrator...
  <Limit Send-Document Send-URI Hold-Job Release-Job Restart-Job Purge-Jobs Set-Job-Attributes Create-Job-Subscription Renew-Subscription Cancel-Subscription Get-Notifications Reprocess-Job Cancel-Current-Job Suspend-Current-Job Resume-Job CUPS-Move-Job>
    Require user @OWNER @SYSTEM
    Order deny,allow
  </Limit>

  # All administration operations require an administrator to authenticate...
  <Limit CUPS-Add-Modify-Printer CUPS-Delete-Printer CUPS-Add-Modify-Class CUPS-Delete-Class CUPS-Set-Default>
    AuthType Default
    Require user @SYSTEM
    Order deny,allow
  </Limit>

  # All printer operations require a printer operator to authenticate...
  <Limit Pause-Printer Resume-Printer Enable-Printer Disable-Printer Pause-Printer-After-Current-Job Hold-New-Jobs Release-Held-New-Jobs Deactivate-Printer Activate-Printer Restart-Printer Shutdown-Printer Startup-Printer Promote-Job Schedule-Job-After CUPS-Accept-Jobs CUPS-Reject-Jobs>
    AuthType Default
    Require user @SYSTEM
    Order deny,allow
  </Limit>

  # Only the owner or an administrator can cancel or authenticate a job...
  <Limit Cancel-Job CUPS-Authenticate-Job>
    Require user @OWNER @SYSTEM
    Order deny,allow
  </Limit>

  <Limit All>
    Order deny,allow
  </Limit>
</Policy>

#
# End of "$Id: cupsd.conf.in 7199 2008-01-08 00:16:30Z mike $".
#



-- 
Robert Heller             -- 978-544-6933 / heller at deepsoft.com
Deepwoods Software        -- http://www.deepsoft.com/
()  ascii ribbon campaign -- against html e-mail
/\  www.asciiribbon.org   -- against proprietary attachments


                                                                                                                         



More information about the cups mailing list