LinuxQuestions.org
Page 1 of 2 1 2
Show 50 post(s) from this thread on one page

LinuxQuestions.org (/questions/)
-   Linux - Networking (https://www.linuxquestions.org/questions/linux-networking-3/)
-   -   Saned denies access (https://www.linuxquestions.org/questions/linux-networking-3/saned-denies-access-4175625064/)

burkina76 03-06-2018 10:52 AM
Saned denies access
 
Hi,

I followed the instructions in this tutorial

https://help.ubuntu.com/community/Sa...ane.d+tutorial

to set up a network scanner.

Everything should be set as needed. However, when I open xsane on a client PC (I tried more than one client, with the same result), the host saned denies access:

Code:

Feb 6 14:29:56 xxxxxxx systemd[1]: Started Scanner Service (xxx.xxx.xx.xxx:46488).
Feb 6 14:29:56 xxxxxxx saned[5122]: saned (AF-indep+IPv6) from sane-backends 1.0.26git starting up
Feb 6 14:29:56 xxxxxxx saned[5122]: check_host: access by remote host: localhost
Feb 6 14:29:56 xxxxxxx saned[5122]: init: access by host localhost denied
Feb 6 14:29:56 xxxxxxx saned[5122]: saned exiting

I'm puzzled here by the fact that the access request comes from 'localhost' instead of the client IP/name. If I indeed include localhost in the allowed IPs, the log changes into:

Code:

check_host: access by remote host: localhost
init: bad status=22 or procnum=6350304

I tried several things (add saned to lp and saned groups, modify saned@.service, define permission rules for saned), but nothing changes. Of course, the scanner works locally on the host. If, however, I add localhost both in saned.conf and in net.conf, I can connect to the scanner only locally, no second 'localhost' copy is detected by xsane (as mentioned in the tutorial for troubleshooting).

Do you have any idea?

Thanks,
Stefano

ferrari 03-07-2018 07:03 PM
A more definitive picture is required for anyone who might want to assist here....

1. Which Ubuntu version?

2. Server end -
a)Could you confirm your configuration on the server?
Code:
cat /etc/sane.d/saned.conf
b) What is reported by the following?
Code:
sudo systemctl status saned.socket
3. Client end - Is the networked scanner reported (as expected)?
Code:
scanimage -L
Also see if this bug report post is relevant perhaps.

burkina76 03-08-2018 01:13 AM
Hi, thanks for your reply. I tried to follow the bug post you mentioned before posting here, with no success. I will have another look at it.

1) Server: Ubuntu 16.04.4 LTS - Clients: same OS or other

2)

a)
Code:
# saned.conf
# Configuration for the saned daemon

## Daemon options
# Port range for the data connection. Choose a range inside [1024 - 65535].
# Avoid specifying too large a range, for performance reasons.
#
# ONLY use this if your saned server is sitting behind a firewall. If your
# firewall is a Linux machine, we strongly recommend using the
# Netfilter nf_conntrack_sane connection tracking module instead.
#
# data_portrange = 10000 - 10100


## Access list
# A list of host names, IP addresses or IP subnets (CIDR notation) that
# are permitted to use local SANE devices. IPv6 addresses must be enclosed
# in brackets, and should always be specified in their compressed form.
#
# The hostname matching is not case-sensitive.
192.168.38.6
192.168.37.67
192.168.38.167
#localhost


#scan-client.somedomain.firm
#192.168.0.1
#192.168.0.1/29
#[2001:db8:185e::42:12]
#[2001:db8:185e::42:12]/64

# NOTE: /etc/inetd.conf (or /etc/xinetd.conf) and
# /etc/services must also be properly configured to start
# the saned daemon as documented in saned(8), services(4)
# and inetd.conf(4) (or xinetd.conf(5)).
b)
Code:
● saned.socket - saned incoming socket
  Loaded: loaded (/etc/systemd/system/saned.socket; enabled; vendor preset: enabled)
  Active: active (listening) since Thu 2018-02-22 10:47:08 CET; 1 weeks 6 days ago
  Listen: [::]:6566 (Stream)
 Accepted: 3; Connected: 0

Warning: Journal has been rotated since unit was started. Log output is incomplete or unavailable.

3)
Code:
No scanners were identified. If you were expecting something different,
check that the scanner is plugged in, turned on and detected by the
sane-find-scanner tool (if appropriate). Please read the documentation
which came with this software (README, FAQ, manpages).

ferrari 03-08-2018 02:11 AM
I meant to ask you about the scanner model being shared. I've read of an issue with sharing HPLIP (hpaio) supported scanners.

https://bbs.archlinux.org/viewtopic.php?id=228071
https://bugs.launchpad.net/hplip/+bug/1268185
https://bugs.launchpad.net/hplip/+bug/1550744

Discard this post if this is not the case of course.

burkina76 03-08-2018 02:14 AM
The scanner is a CanoScan Lide 120, which, of course, works perfectly on the server:

Code:
found USB scanner (vendor=0x04a9 [Canon], product=0x190e [CanoScan], chip=GL848+) at libusb:001:005
Stefano

ferrari 03-08-2018 03:01 AM
Hmmm...the server logging is similar to that described in this Debian bug report. This was found to be due to a configuration issue in /lib/systemd/system/saned\@.service, but I wouldn't expect this to be an issue in Ubuntu 16.04.4 LTS (with sane-backends 1.0.26git). In any case /etc/systemd/system/saned@.service should override it. When you created /etc/systemd/system/saned@.service, did you also do the following afterwards?
Code:
sudo systemctl daemon-reload

burkina76 03-08-2018 03:10 AM
I already tried that, but nothing changes if I modify the entry in etc/systemd/system/saned@.service from 'socket' to 'null' (and viceversa), restarting the daemon each time (sudo systemctl daemon-reload):

Code:
[Unit]
Description=Scanner Service
Requires=saned.socket

[Service]
ExecStart=/usr/sbin/saned
User=saned
Group=saned
StandardInput=socket
#StandardInput=null

StandardOutput=syslog
StandardError=syslog

Environment=SANE_CONFIG_DIR=/etc/sane.d
# Environment=SANE_CONFIG_DIR=/etc/sane.d SANE_DEBUG_DLL=255

[Install]
Also=saned.socket

ferrari 03-08-2018 03:32 AM
I note that /etc/systemd/system/saned@.service starts saned as User=saned, Group=saned. After reading this RH bug report I wonder if a udev rule is also needed so that the saned user has the required access to the scanner. (I suppose the 'lp' group could have been in the service unit instead to match the existing udev rules for local scanner devices.) Just a thought.

burkina76 03-08-2018 03:39 AM
Already have the udev rule, created in /usr/lib/udev/rules.d/70-saned.rules, as explained in that bug report, but it didn't work...

ferrari 03-08-2018 03:57 AM
I still feel that this is a permissions problem. What does the following return on the server?
Code:
groups saned
Reference:
https://wiki.debian.org/SaneOverNetw..._Configuration

Also...
Quote:
Test if the server can reach its own saned on localhost

Instead of using the scanner directly, try and access it via the localhost interface. If this doesn't work, it won't work across the network. Due to a bug in udev, it may be necessary to add the saned user to the lp group with this command:

sudo usermod -a -G lp saned

and restart the saned service.
https://help.ubuntu.com/community/Sa...d_on_localhost

burkina76 03-08-2018 04:00 AM
Code:
saned : saned root lp scanner
And yes, the server can access the scanner via localhost (two copies of the scanner are present in this case).
I feel that the problem may be in the fact that the request for access comes from 'localhost' instead of the IP of the client machine, as shown by the log in my first post. This doesn't seem to me logic, but I may be wrong.

ferrari 03-10-2018 03:03 AM
I finally found time to set up remote scanning today, and now have it working. I haven't been able to replicate the issue you're having here. I'm using sane-backends 1.0.27 (openSUSE Leap 42.3), and found from reading 'man saned' that I needed to use /etc/systemd/system/sane@.service like this....

Code:
[Unit]
Description=Scanner Service
Requires=saned.socket

[Service]
ExecStart=/usr/sbin/saned
User=saned
Group=lp
StandardInput=socket
Environment=SANE_CONFIG_DIR=/etc/sane.d
# If you need to debug your configuration uncomment the next line and
#  change it as appropriate to set the desired debug options
# Environment=SANE_DEBUG_DLL=255 SANE_DEBUG_BJNP=5

[Install]
Also=saned.socket
*The 'saned' group doesn't exist in this distro and the 'lp' group makes better sense (for local scanners) anyway. I also had to use 'StandardInput=socket' as I don't appear to have saned compiled with systemd support.

I can trigger saned on the host with telnet...
Code:
telnet 192.168.1.12 6566
Trying 192.168.1.12...
Connected to 192.168.1.12.
Escape character is '^]'.
The open port can be verified from the client...
Code:
# nmap -p 6566 192.168.1.12

Starting Nmap 6.47 ( http://nmap.org ) at 2018-03-10 21:55 NZDT
Nmap scan report for linux-54cw (192.168.1.12)
Host is up (0.11s latency).
PORT    STATE SERVICE
6566/tcp open  sane-port
MAC Address: 20:68:9D:8B:3C:2E (Liteon Technology)

Nmap done: 1 IP address (1 host up) scanned in 0.50 seconds
and I can scan remotely using
Code:
xsane net:192.168.1.12
The host logging looks like this...
Code:
Mar 10 21:14:00 linux-54cw saned[3681]: saned (AF-indep+IPv6) from sane-backends 1.0.27 starting up
Mar 10 21:14:00 linux-54cw saned[3681]: check_host: access by remote host: ::ffff:192.168.1.8
Mar 10 21:14:00 linux-54cw saned[3681]: init: access granted to dean@::ffff:192.168.1.8

burkina76 03-10-2018 10:39 AM
Thank you so much for trying to solve this. The 'funny' thing is that I also made it work some time ago on my older PC, and it worked immediately with no issues...

So, I double-checked what you did.

The only difference between your configuration file and mine was the 'lp' group: I changed that, restarted the daemon, but still no success.

This is what I get with telnet:

Code:
Trying 192.168.37.139...
Connected to 192.168.37.139.
Escape character is '^]'.
Connection closed by foreign host.
This is what I get from the client:
Code:
nmap -p 6566 192.168.37.139

Starting Nmap 7.40 ( https://nmap.org ) at 2018-03-10 17:35 CET
Nmap scan report for 192.168.37.139
Host is up (0.00056s latency).
PORT    STATE SERVICE
6566/tcp open  sane-port

Nmap done: 1 IP address (1 host up) scanned in 0.13 seconds
But, when I try

Code:
xsane net:192.168.37.139
I get: "Failed to open device `net:192.68.37.139' Error during device I/O"

and the host log is the same I posted in my first post:

Code:
Mar 10 17:30:04 zelenka saned[12166]: check_host: access by remote host: localhost
Mar 10 17:30:04 zelenka saned[12166]: init: access by host localhost denied
Mar 10 17:30:04 zelenka saned[12166]: saned exiting

ferrari 03-10-2018 03:32 PM
It is apparent that saned.socket is working ok at least. I think the communication between saned and the input stream is where the problem lies, and the symptoms (localhost reported) do match that outlined in the Debian bug report. I'm not certain that your saned (from sane-backends) is compiled with systemd support.

All that you need to configure this service is described in
Code:
man saned

ferrari 03-10-2018 04:50 PM
A bit more testing....if I attempt to use 'StandardInput=null' in saned@.service, and
Code:
systemctl deamon-reload
then from the client I do
Code:
telnet 192.168.1.12 6566
and get
Code:
Trying 192.168.1.12...
Connected to 192.168.1.12.
Escape character is '^]'.
Connection closed by foreign host.
while the following is then reported on the saned host
Code:
Mar 11 11:36:19 linux-54cw saned[3347]: saned (AF-indep+IPv6) from sane-backends 1.0.27 starting up
Mar 11 11:36:19 linux-54cw saned[3347]: check_host: access by remote host: localhost
Mar 11 11:36:19 linux-54cw saned[3347]: init: bad status=22 or procnum=0
Mar 11 11:36:19 linux-54cw saned[3347]: saned exiting
I've reverted back to 'StandardInput=socket' and it behaves as expected again
Code:
Mar 11 11:48:38 linux-54cw systemd[1]: Started Scanner Service (192.168.1.8:52372).
Mar 11 11:48:38 linux-54cw saned[3917]: saned (AF-indep+IPv6) from sane-backends 1.0.27 starting up
Mar 11 11:48:38 linux-54cw saned[3917]: check_host: access by remote host: ::ffff:192.168.1.8
Mar 11 11:48:38 linux-54cw saned[3917]: init: access granted to dean@::ffff:192.168.1.8


All times are GMT -5. The time now is 06:00 AM.
Page 1 of 2 1 2
Show 50 post(s) from this thread on one page