can't access CUPS web interface from local network

Asked by Wladston Viana on 2007-06-08

I have installed Ubuntu Feisty on a video-card-less server.

There is a printer attached to it, so I installed cups as it says on http://doc.ubuntu.com/ubuntu/serverguide/C/cups.html

I have added the "Listen" lines directly on the cupsd.conf line, because a etc/cups/cups.d/ports.conf file didn't exist. Then I restarted the cupsd service.

But I can't access the cups web interface from http://192.168.0.100:631/ . And there are strange erros, as if the Listen line wansn't being accepted!!
----
wladston@jangada:~$ sudo cat /var/log/cups/error_log
E [08/Jun/2007:10:47:05 -0300] Hostname lookup for "192.168.0.*" failed!
E [08/Jun/2007:10:47:05 -0300] Bad Listen address 192.168.0.*:631 at line 17.
E [08/Jun/2007:10:52:44 -0300] Hostname lookup for "192.168.0.*" failed!
E [08/Jun/2007:10:52:44 -0300] Bad Listen address 192.168.0.*:631 at line 17.
E [08/Jun/2007:11:03:50 -0300] Unable to bind socket for address 192.168.0.10:631 - Cannot assign requested address.
E [08/Jun/2007:11:04:33 -0300] Hostname lookup for "192.168.0.*" failed!
E [08/Jun/2007:11:04:33 -0300] Bad Listen address 192.168.0.*:631 at line 17.
---

Here is my cupsd.conf file :

#
#
# Sample configuration file for the Common UNIX Printing System (CUPS)
# scheduler. See "man cupsd.conf" for a complete description of this
# file.
#

# Log general information in error_log - change "info" to "debug" for
# troubleshooting...
LogLevel warning

# Administrator user group...
SystemGroup lpadmin

# Only listen for connections from the local machine.
Listen localhost:631
Listen 192.168.0.*:631
Listen /var/run/cups/cups.sock

# Show shared printers on the local network.
Browsing Off
BrowseOrder allow,deny
BrowseAllow @LOCAL
BrowseAddress @LOCAL

# Default authentication type, when authentication is required...
DefaultAuthType Basic

# Restrict access to the server...
<Location />
  Order allow,deny
  Allow localhost
  Allow @LOCAL
</Location>

# Restrict access to the admin pages...
<Location /admin>
  Order allow,deny
  Allow localhost
  Allow @LOCAL
</Location>

# Restrict access to configuration files...
<Location /admin/conf>
  AuthType Basic
  Require user @SYSTEM
  Order allow,deny
  Allow localhost
  Allow @LOCAL
</Location>

# Set the default printer/job policies...
<Policy default>
  # Job-related operations must be done by the owner or an adminstrator...
  <Limit Send-Document Send-URI Hold-Job Release-Job Restart-Job Purge-Jobs Set-Job-Attributes Create-Job-Subscription Renew-Subscription Cancel-Subscription Get-Notifications Reprocess-Job Cancel-Current-Job Suspend-Current-Job Resume-Job CUPS-Move-Job>
    Require user @OWNER @SYSTEM
    Order deny,allow
  </Limit>

  # All administration operations require an adminstrator to authenticate...
  <Limit Pause-Printer Resume-Printer Set-Printer-Attributes Enable-Printer Disable-Printer Pause-Printer-After-Current-Job Hold-New-Jobs Release-Held-New-Jobs Deactivate-Printer Activate-Printer Restart-Printer Shutdown-Printer Startup-Printer Promote-Job Schedule-Job-After CUPS-Add-Printer CUPS-Delete-Printer CUPS-Add-Class CUPS-Delete-Class CUPS-Accept-Jobs CUPS-Reject-Jobs CUPS-Set-Default>
    AuthType Basic
    Require user @SYSTEM
    Order deny,allow
  </Limit>

  # Only the owner or an administrator can cancel or authenticate a job...
  <Limit Cancel-Job CUPS-Authenticate-Job>
    Require user @OWNER @SYSTEM
    Order deny,allow
  </Limit>

  <Limit All>
    Order deny,allow
  </Limit>
</Policy>

#
#

#
# Printcap: the name of the printcap file. Default is /etc/printcap.
# Leave blank to disable printcap file generation.
#

Printcap /var/run/cups/printcap

#
# PrintcapFormat: the format of the printcap file, currently either
# BSD or Solaris. The default is "BSD".
#

#PrintcapFormat BSD
#PrintcapFormat Solaris

#
# PrintcapGUI: the name of the GUI options panel program to associate
# with print queues under IRIX. The default is "/usr/bin/glpoptions"
# from ESP Print Pro.
#
# This option is only used under IRIX; the options panel program
# must accept the "-d printer" and "-o options" options and write
# the selected printer options back to stdout on completion.
#

#PrintcapGUI /usr/bin/glpoptions

Question information

Language:
English Edit question
Status:
Solved
For:
Ubuntu cupsys Edit question
Assignee:
No assignee Edit question
Solved by:
Áron Sisak
Solved:
2007-06-11
Last query:
2007-06-11
Last reply:
2007-06-09

You must modify the Allow lines

Example:

<Location />
  Order allow,deny
  Allow localhost
  Allow 192.168.1.0/255.255.255.0
</Location>

You can see more options with:
man cupsd.conf

Wladston Viana (wladston) said : #2

Antonio,

Thanks for the awnser.

However, it still doesn't work. I have modified both <Location /admin> and <Location />, addinfg exactly what you have suggested.

Don't you think it might be related to the errors at /var/log/cups/error_log ?

Also, why can't I use Allow @LOCAL ?

According to the man :
       Allow @LOCAL
            Allows access from the named hosts or addresses.

Thanks VERY much for the attention!

Sorry, I didn't see the log.
Well, yoy can use :

Listen 192.168.1.1:631

for listen on the interface with this IP

OR

Listen *:631

for listen on all interfaces:

In the help of cups, you can see:

Listen ip-address:port
Listen *:port
Listen /path/to/domain/socket
    Listens to the specified address and port or domain socket path.
---------------
E [08/Jun/2007:10:47:05 -0300] Hostname lookup for "192.168.0.*" failed!
E [08/Jun/2007:10:47:05 -0300] Bad Listen address 192.168.0.*:631 at line 17.

Cups is checking the name of HOT "192.168.0.*", and obviously, it don't exist.
-------------
The man say:
@LOCAL ... yes, it's for accept connections from all your network interfaces.

Wladston Viana (wladston) said : #4

I tried Listen 192.168.0.100 (my desktop's ip) and now I have that everytime I restart the deamon :
E [08/Jun/2007:14:26:12 -0300] Unable to bind socket for address 192.168.0.10:631 - Cannot assign requested address.

When I try with Listen *:613, I get this error :
E [08/Jun/2007:14:28:22 -0300] Unable to open listen socket for address :::631 - Address family not supported by protocol.

And in both cases, the web interface is still down.

(I'm back using @LOCAL for the Allow lines.)

Could you paste your cupsd.conf again?

And, the output of this command:

ps -A | grep cups

Wladston Viana (wladston) said : #6

Sure!! Here you go :

wladston@jangada:~$ cat /etc/cups/cupsd.conf
#
#
# Sample configuration file for the Common UNIX Printing System (CUPS)
# scheduler. See "man cupsd.conf" for a complete description of this
# file.
#

# Log general information in error_log - change "info" to "debug" for
# troubleshooting...
LogLevel warning

# Administrator user group...
SystemGroup lpadmin

# Only listen for connections from the local machine.
#Listen 127.0.0.1:631
#Listen 192.168.0.10:631
Listen *:631
Listen /var/run/cups/cups.sock

# Show shared printers on the local network.
Browsing Off
BrowseOrder allow,deny
BrowseAllow @LOCAL
BrowseAddress @LOCAL

# Default authentication type, when authentication is required...
DefaultAuthType Basic

# Restrict access to the server...
<Location />
  Order allow,deny
  Allow localhost
  Allow @LOCAL
# Allow 192.168.1.0/255.255.255.0
</Location>

# Restrict access to the admin pages...
<Location /admin>
  Order allow,deny
  Allow localhost
  Allow @LOCAL
 # Allow 192.168.1.0/255.255.255.0
</Location>

# Restrict access to configuration files...
<Location /admin/conf>
  AuthType Basic
  Require user @SYSTEM
  Order allow,deny
  Allow localhost
  Allow @LOCAL
</Location>

# Set the default printer/job policies...
<Policy default>
  # Job-related operations must be done by the owner or an adminstrator...
  <Limit Send-Document Send-URI Hold-Job Release-Job Restart-Job Purge-Jobs Set-Job-Attributes Create-Job-Subscription Renew-Subscription Cancel-Subscription Get-Notifications Reprocess-Job Cancel-Current-Job Suspend-Current-Job Resume-Job CUPS-Move-Job>
    Require user @OWNER @SYSTEM
    Order deny,allow
  </Limit>

  # All administration operations require an adminstrator to authenticate...
  <Limit Pause-Printer Resume-Printer Set-Printer-Attributes Enable-Printer Disable-Printer Pause-Printer-After-Current-Job Hold-New-Jobs Release-Held-New-Jobs Deactivate-Printer Activate-Printer Restart-Printer Shutdown-Printer Startup-Printer Promote-Job Schedule-Job-After CUPS-Add-Printer CUPS-Delete-Printer CUPS-Add-Class CUPS-Delete-Class CUPS-Accept-Jobs CUPS-Reject-Jobs CUPS-Set-Default>
    AuthType Basic
    Require user @SYSTEM
    Order deny,allow
  </Limit>

  # Only the owner or an administrator can cancel or authenticate a job...
  <Limit Cancel-Job CUPS-Authenticate-Job>
    Require user @OWNER @SYSTEM
    Order deny,allow
  </Limit>

  <Limit All>
    Order deny,allow
  </Limit>
</Policy>

#
#

#
# Printcap: the name of the printcap file. Default is /etc/printcap.
# Leave blank to disable printcap file generation.
#

Printcap /var/run/cups/printcap

#
# PrintcapFormat: the format of the printcap file, currently either
# BSD or Solaris. The default is "BSD".
#

#PrintcapFormat BSD
#PrintcapFormat Solaris

#
# PrintcapGUI: the name of the GUI options panel program to associate
# with print queues under IRIX. The default is "/usr/bin/glpoptions"
# from ESP Print Pro.
#
# This option is only used under IRIX; the options panel program
# must accept the "-d printer" and "-o options" options and write
# the selected printer options back to stdout on completion.
#

#PrintcapGUI /usr/bin/glpoptions

wladston@jangada:~$ ps -A | grep cups
 2495 ? 00:00:00 cupsd
wladston@jangada:~$

Well, you have a cups running, then, you can't reuse this port.
You must to kill it:

sudo killall cupsd

Then, check again.

Wladston Viana (wladston) said : #8

Still having the same issue :

wladston@jangada:~$ sudo killall cupsd
wladston@jangada:~$ ps -A | grep cups
wladston@jangada:~$ sudo /etc/init.d/cupsys start
 * Starting Common Unix Printing System: cupsd [ OK ]
wladston@jangada:~$ sudo cat /var/log/cups/error_log
[...]
E [08/Jun/2007:14:54:36 -0300] Unable to open listen socket for address :::631 - Address family not supported by protocol.
wladston@jangada:~$

Wladston Viana (wladston) said : #9

OPS!! no no ... now it's working, despite the error message!!

Can you reboot the system?

it isn't a good solution, but, it can liberate the 631 port.

It's very rare.

Wladston Viana (wladston) said : #11

Antonio,

I have tested now,

It's working using the
Listen *:613

But, if I use anything else, or any other Listen command, it won't work anymore ...

Any clues ?

I'll reboot the system now.

Wladston Viana (wladston) said : #12

Rebooted and tested again.

Using Listen 192.168.10:631, it won't work

Using Listen *:631, it works

I think it isn't a good idea to have cups deamon listeing anyone even on the internet ...

Any ideas what could be causing the problem ?

I keep getting the errors :
E [08/Jun/2007:15:11:10 -0300] Unable to open listen socket for address :::631 - Address family not supported by protocol.
E [08/Jun/2007:15:12:29 -0300] Unable to bind socket for address 192.168.0.10:631 - Cannot assign requested address.
E [08/Jun/2007:15:13:04 -0300] Unable to open listen socket for address :::631 - Address family not supported by protocol.

I have a successful configuration file with this:

Listen localhost:631
Listen 192.168.0.10
Listen /var/run/cups/cups.sock

As you can watch, I use more ip hosts to specific more ip listening.
You can see with:
 netstat -nl | grep 631
All you ip listening on this port.

Well, if you have a router with NAT (with local networks 192.168.X.X) any person can't access to your system if you don't redirect your 631 port on your router with your Public IP.

Wladston Viana (wladston) said : #15

Antonio,

Yes, that is true .... but ... doesn't that sound like a software bug ?

Not, if it read a port, it try to reserve it, and then, it had been reserve before by other previous line of config. It print this error.
I don't think that it could be a bug.
Besides, you can modify security access on directories.
If this run, ¿could you put this as solved?
Thanks You. If you need to follow speaking about this, contact me. You can see more dates about me on
https://wiki.ubuntu.com/Ant30
https://launchpad.net/~ant30

Wladston Viana (wladston) said : #17

Ok. I tried again, this time, using only one line of the listen command, to ensure that the port hasn't been reserved.

The only listen line I'm using now is
Listen 192.168.0.10:631

After setting this, I've rebooted the system. Result - id din't work.

Considering this fact, do you think it's a sotfware bug ?

I think I'm fine using this current setup, but if there is a software bug, we need to spot it ! :)

Thanks for all the help, and thanks for caring about the problem!

Wladston Viana (wladston) said : #18

Just another update - have searched the internet for my specific error message, and found no solution.

Use this:

Listen localhost:631
Listen 192.168.0.10

Pay Attention to second Listen (it haven't got other port specific)
If this don't run, then we put as bug.

Áron Sisak (asisak) said : #20

Okay, sorry for one more question to clear up things: is 192.168.0.10 is the IP of your print server and 192.168.0.100 of your desktop machine?

Listen localhost:631
Listen 192.168.1.10:631

should work in this case.

Áron Sisak (asisak) said : #21

Sorry, "Listen 192.168.0.10:631" is the second listen line, of course.

Wladston Viana (wladston) said : #22

My IP is 192.168.0.10; My server is 192.168.0.100

Test # 1 :
Listen localhost:631
Listen 192.168.0.10:631

Error :
E [09/Jun/2007:11:02:46 -0300] Unable to bind socket for address 192.168.0.10:631 - Cannot assign requested address.

The admin page didn't open

----

Test # 2
Listen localhost:631
Listen 192.168.0.10

Error : (omiting the port didn't make a difference)
E [09/Jun/2007:11:07:05 -0300] Unable to bind socket for address 192.168.0.10:631 - Cannot assign requested address.

The admin page didn't open

----

Test # 3
Listen *:631

Error : E [09/Jun/2007:11:09:13 -0300] Unable to open listen socket for address :::631 - Address family not supported by protocol.

The admin page works

----

Really look like a bug....

I have checked, no other service uses port 631. I'm able to open a connection between two consoles on port 631 using nc and telnet.

Áron Sisak (asisak) said : #23

You should bind to your server's IP. That is

Listen localhost:631
Listen 192.168.0.100:631

Wladston Viana (wladston) said : #24

Aron,

My server has no keyboard/video card. I can only access it trough the network...

Áron Sisak (asisak) said : #25

What is the problem with that? You can ssh and edit the cups config file, cannot you?

Wladston Viana (wladston) said : #26

Yes, this is what I'm doing :)

I just don't see the point of telling the device to listen to itself :)

Wladston Viana (wladston) said : #27

Oh - you mean, to replace

Listen localhost

with

Listen 192.168.0.100 ?

Best Áron Sisak (asisak) said : #28

No. It is that your server listens and accepts requests on its network interfaces. That is in our case localhost and 192.168.0.100.
The latter allows computers in the local network 192.168.0.0/24 to connect to the interface 192.168.0.100, where cupsys listens.
Therefore I would suggest you to try:

Listen localhost:631
Listen 192.168.0.100:631

Wladston Viana (wladston) said : #29

Thanks Áron Sisak, that solved my question.

Wladston Viana (wladston) said : #30

Aron,

Wow!! You got it !! That was the exact problem! :)

I've read the guides at here, http://www.cups.org/doc-1.1/sam.html#Listen, here : https://help.ubuntu.com/6.10/ubuntu/serverguide/C/cups.html, but It never came to my head that the listen was actually to be filled with the IP of the SERVER, not with the IP of the client ...

Well, apart from my ignorace, maybe the guides should be edited to get this clearer for the noobs :)

Tu amigo <email address hidden> te ha enviado el siguiente gadget de Google
con este mensaje:

Ver "bandaancha.eu · Sobre tecnología, banda ancha, operadoras y
telefonía móvil" en mi página principal de Google »