[cups-devel] [UNKN] STR #4320: Strange problem with CUPS on a Linux (CentOS 5.10) LAN
heller at deepsoft.com
heller at deepsoft.com
Fri Dec 20 06:57:09 PST 2013
DO NOT REPLY TO THIS MESSAGE. INSTEAD, POST ANY RESPONSES TO THE LINK BELOW.
[STR New]
We have a LAN with a CentOS 5.10 server and a number of diskless
workstations
(also running CentOS 5.10 with NFS mounted filesystems). *One* of these
machines intermittently fails to see the printers served by the server.
We are running the stock RHEL/CentOS 5 cups package: cups-1.3.7-30.el5_9.3.
I have tried everything I can think of. I even changed the IP address of
the
problem machine, which 'fixed' it temporarily, but it is broken again.
The only other difference is in the error_log files. The working system
contains this:
D [18/Dec/2013:15:44:18 -0500] Report: clients=0
D [18/Dec/2013:15:44:18 -0500] Report: jobs=0
D [18/Dec/2013:15:44:18 -0500] Report: jobs-active=0
D [18/Dec/2013:15:44:18 -0500] Report: printers=5
D [18/Dec/2013:15:44:18 -0500] Report: printers-implicit=1
D [18/Dec/2013:15:44:18 -0500] Report: stringpool-string-count=842
D [18/Dec/2013:15:44:18 -0500] Report: stringpool-alloc-bytes=6888
D [18/Dec/2013:15:44:18 -0500] Report: stringpool-total-bytes=19376
D [18/Dec/2013:15:44:19 -0500] cupsdNetIFUpdate: "lo" = localhost...
D [18/Dec/2013:15:44:19 -0500] cupsdNetIFUpdate: "eth0" =
clearwater.wendellfreelibrary.org...
D [18/Dec/2013:15:44:19 -0500] cupsdNetIFUpdate: "eth0:1" = 10.163.1.10...
D [18/Dec/2013:15:44:19 -0500] cupsdNetIFUpdate: "lo" = localhost...
D [18/Dec/2013:15:44:19 -0500] cupsdNetIFUpdate: "eth0" =
fe80::240:caff:fe8b:7846%eth0...
and the non-working machine contains this instead:
D [18/Dec/2013:14:47:50 -0500] cupsdReadClient: 9 POST / HTTP/1.1
D [18/Dec/2013:14:47:50 -0500] cupsdAuthorize: No authentication data
provided.
D [18/Dec/2013:14:47:50 -0500] CUPS-Get-Printers
D [18/Dec/2013:14:47:50 -0500] CUPS-Get-Printers client-error-not-found: No
destinations added.
D [18/Dec/2013:14:47:50 -0500] cupsdProcessIPPRequest: 9 status_code=406
(client-error-not-found)
D [18/Dec/2013:14:47:50 -0500] cupsdReadClient: 9 POST / HTTP/1.1
D [18/Dec/2013:14:47:50 -0500] cupsdAuthorize: No authentication data
provided.
D [18/Dec/2013:14:47:50 -0500] Get-Jobs ipp://localhost/
D [18/Dec/2013:14:47:50 -0500] cupsdProcessIPPRequest: 9 status_code=0
(successful-ok)
D [18/Dec/2013:14:47:50 -0500] cupsdCloseClient: 9
What is going wrong? Why should two *identical* machines behave
differently?
They are in fact the same make and model of machine! -- the only difference
is
a different MAC address and a different IP address! They are running
exactly
the same software, on the same hardware, with the same configuration files!
This *used* to work and only started happening since the update to CentOS
5.10, so I'm *guessing* it is one of these patches that is causing
problems:
* Mon Feb 25 2013 Tim Waugh <twaugh at redhat.com> 1:1.3.7-30:.3
- Fix for CVE-2012-5519 patch: handle blacklisted lines that have no
value part gracefully.
* Fri Feb 15 2013 Tim Waugh <twaugh at redhat.com> 1:1.3.7-30:.2
- Added documentation for new CVE-2012-5519 option.
* Thu Feb 07 2013 Tim Waugh <twaugh at redhat.com> 1:1.3.7-30:.1
- Applied patch to fix CVE-2012-5519 (privilege escalation for users
in SystemGroup or with equivalent polkit permission). This prevents
HTTP PUT requests with paths under /admin/conf/ other than that for
cupsd.conf, and also prevents such requests altering certain
configuration directives such as PageLog and FileDevice (bug #875898).
This is /etc/cups/cupsd.conf file on the server:
LogLevel debug2
SystemGroup sys root admin
# Allow remote access
Port 631
Listen /var/run/cups/cups.sock
# Enable printer sharing and shared printers.
Browsing On
BrowseOrder allow,deny
# (Change '@LOCAL' to 'ALL' if using directed broadcasts from another
subnet.)
BrowseAllow @LOCAL
BrowseAddress @LOCAL
DefaultAuthType Basic
<Location />
# Allow shared printing and remote administration...
Order allow,deny
Allow all
</Location>
<Location /admin>
Allow from localhost
Allow from 192.168.1.28
Allow from 192.168.1.29
Allow from 192.168.1.5
# Allow remote administration...
Order allow,deny
Allow all
</Location>
<Location /admin/conf>
AuthType Basic
Require user @SYSTEM
Allow localhost
# Allow remote access to the configuration files...
Order allow,deny
Allow all
</Location>
<Policy default>
<Limit Send-Document Send-URI Hold-Job Release-Job Restart-Job Purge-Jobs
Set-Job-Attributes Create-Job-Subscription Renew-Subscription
Cancel-Subscription Get-Notifications Reprocess-Job Cancel-Current-Job
Suspend-Current-Job Resume-Job CUPS-Move-Job>
Require user @OWNER @SYSTEM
Order deny,allow
</Limit>
<Limit Pause-Printer Resume-Printer Set-Printer-Attributes Enable-Printer
Disable-Printer Pause-Printer-After-Current-Job Hold-New-Jobs
Release-Held-New-Jobs Deactivate-Printer Activate-Printer Restart-Printer
Shutdown-Printer Startup-Printer Promote-Job Schedule-Job-After
CUPS-Add-Printer CUPS-Delete-Printer CUPS-Add-Class CUPS-Delete-Class
CUPS-Accept-Jobs CUPS-Reject-Jobs CUPS-Set-Default>
AuthType Basic
Require user @SYSTEM
Order deny,allow
</Limit>
<Limit CUPS-Authenticate-Job>
Require user @OWNER @SYSTEM
Order deny,allow
</Limit>
<Limit All>
Order deny,allow
</Limit>
</Policy>
And /etc/cups/printers.conf on the server:
# Printer configuration file for CUPS v1.3.7
# Written by cupsd on 2012-07-24 16:47
<DefaultPrinter BlackandWhiteLaserjet>
Info This is the black and white laser jet
Location printer table
DeviceURI socket://192.168.1.246:9100
State Idle
StateTime 1340134037
Accepting Yes
Shared Yes
JobSheets none none
QuotaPeriod 0
PageLimit 0
KLimit 0
OpPolicy default
ErrorPolicy retry-job
</Printer>
<Printer Officejet_Color>
Info Officejet_Color
Location Printer Area
DeviceURI socket://192.168.1.253
State Idle
StateTime 1343162613
Accepting Yes
Shared Yes
JobSheets none none
QuotaPeriod 0
PageLimit 0
KLimit 0
OpPolicy default
ErrorPolicy retry-job
</Printer>
And /etc/cups/cupsd.conf on the client workstations (all are the same -- it
is
on a nfs mounted root file system):
#
# "$Id: cupsd.conf.in 7199 2008-01-08 00:16:30Z mike $"
#
# Sample configuration file for the Common UNIX Printing System (CUPS)
# scheduler. See "man cupsd.conf" for a complete description of this
# file.
#
MaxLogSize 2000000000
# Log general information in error_log - change "info" to "debug" for
# troubleshooting...
LogLevel debug
# Administrator user group...
SystemGroup sys root
# Allow remote access
Port 631
Listen /var/run/cups/cups.sock
# Only listen for connections from the local machine.
#Listen localhost:631
#Listen /var/run/cups/cups.sock
# Show shared printers on the local network.
Browsing On
BrowseOrder allow,deny
# (Change '@LOCAL' to 'ALL' if using directed broadcasts from another
subnet.)
BrowseAllow @LOCAL
BrowseAllow 192.168.1.28
BrowseAllow 192.168.1.29
BrowseAllow 192.168.1.5
BrowseAllow 192.168.1.254
BrowseAllow 10.163.1
BrowseAddress @LOCAL
# Default authentication type, when authentication is required...
DefaultAuthType Basic
# Restrict access to the server...
<Location />
Order allow,deny
Allow all
</Location>
# Restrict access to the admin pages...
<Location /admin>
Order allow,deny
Allow localhost
</Location>
# Restrict access to configuration files...
<Location /admin/conf>
AuthType Default
Require user @SYSTEM
Order allow,deny
</Location>
# Set the default printer/job policies...
<Policy default>
# Job-related operations must be done by the owner or an administrator...
<Limit Send-Document Send-URI Hold-Job Release-Job Restart-Job Purge-Jobs
Set-Job-Attributes Create-Job-Subscription Renew-Subscription
Cancel-Subscription Get-Notifications Reprocess-Job Cancel-Current-Job
Suspend-Current-Job Resume-Job CUPS-Move-Job>
Require user @OWNER @SYSTEM
Order deny,allow
</Limit>
# All administration operations require an administrator to
authenticate...
<Limit CUPS-Add-Modify-Printer CUPS-Delete-Printer CUPS-Add-Modify-Class
CUPS-Delete-Class CUPS-Set-Default>
AuthType Default
Require user @SYSTEM
Order deny,allow
</Limit>
# All printer operations require a printer operator to authenticate...
<Limit Pause-Printer Resume-Printer Enable-Printer Disable-Printer
Pause-Printer-After-Current-Job Hold-New-Jobs Release-Held-New-Jobs
Deactivate-Printer Activate-Printer Restart-Printer Shutdown-Printer
Startup-Printer Promote-Job Schedule-Job-After CUPS-Accept-Jobs
CUPS-Reject-Jobs>
AuthType Default
Require user @SYSTEM
Order deny,allow
</Limit>
# Only the owner or an administrator can cancel or authenticate a job...
<Limit Cancel-Job CUPS-Authenticate-Job>
Require user @OWNER @SYSTEM
Order deny,allow
</Limit>
<Limit All>
Order deny,allow
</Limit>
</Policy>
#
# End of "$Id: cupsd.conf.in 7199 2008-01-08 00:16:30Z mike $".
#
Link: https://www.cups.org/str.php?L4320
Version: 1.3.8
More information about the cups
mailing list