LinuxQuestions.org
Download your favorite Linux distribution at LQ ISO.
Go Back   LinuxQuestions.org > Forums > Linux Forums > Linux - Networking
User Name
Password
Linux - Networking This forum is for any issue related to networks or networking.
Routing, network cards, OSI, etc. Anything is fair game.

Notices


Reply
  Search this Thread
Old 03-06-2018, 10:52 AM   #1
burkina76
LQ Newbie
 
Registered: Mar 2018
Posts: 21

Rep: Reputation: Disabled
Saned denies access


Hi,

I followed the instructions in this tutorial

https://help.ubuntu.com/community/Sa...ane.d+tutorial

to set up a network scanner.

Everything should be set as needed. However, when I open xsane on a client PC (I tried more than one client, with the same result), the host saned denies access:

Code:

Feb 6 14:29:56 xxxxxxx systemd[1]: Started Scanner Service (xxx.xxx.xx.xxx:46488).
Feb 6 14:29:56 xxxxxxx saned[5122]: saned (AF-indep+IPv6) from sane-backends 1.0.26git starting up
Feb 6 14:29:56 xxxxxxx saned[5122]: check_host: access by remote host: localhost
Feb 6 14:29:56 xxxxxxx saned[5122]: init: access by host localhost denied
Feb 6 14:29:56 xxxxxxx saned[5122]: saned exiting

I'm puzzled here by the fact that the access request comes from 'localhost' instead of the client IP/name. If I indeed include localhost in the allowed IPs, the log changes into:

Code:

check_host: access by remote host: localhost
init: bad status=22 or procnum=6350304

I tried several things (add saned to lp and saned groups, modify saned@.service, define permission rules for saned), but nothing changes. Of course, the scanner works locally on the host. If, however, I add localhost both in saned.conf and in net.conf, I can connect to the scanner only locally, no second 'localhost' copy is detected by xsane (as mentioned in the tutorial for troubleshooting).

Do you have any idea?

Thanks,
Stefano
 
Old 03-07-2018, 07:03 PM   #2
ferrari
LQ Guru
 
Registered: Sep 2003
Location: Auckland, NZ
Distribution: openSUSE Leap
Posts: 5,779

Rep: Reputation: 1139Reputation: 1139Reputation: 1139Reputation: 1139Reputation: 1139Reputation: 1139Reputation: 1139Reputation: 1139Reputation: 1139
A more definitive picture is required for anyone who might want to assist here....

1. Which Ubuntu version?

2. Server end -
a)Could you confirm your configuration on the server?
Code:
cat /etc/sane.d/saned.conf
b) What is reported by the following?
Code:
sudo systemctl status saned.socket
3. Client end - Is the networked scanner reported (as expected)?
Code:
scanimage -L
Also see if this bug report post is relevant perhaps.
 
Old 03-08-2018, 01:13 AM   #3
burkina76
LQ Newbie
 
Registered: Mar 2018
Posts: 21

Original Poster
Rep: Reputation: Disabled
Hi, thanks for your reply. I tried to follow the bug post you mentioned before posting here, with no success. I will have another look at it.

1) Server: Ubuntu 16.04.4 LTS - Clients: same OS or other

2)

a)
Code:
# saned.conf
# Configuration for the saned daemon

## Daemon options
# Port range for the data connection. Choose a range inside [1024 - 65535].
# Avoid specifying too large a range, for performance reasons.
#
# ONLY use this if your saned server is sitting behind a firewall. If your
# firewall is a Linux machine, we strongly recommend using the
# Netfilter nf_conntrack_sane connection tracking module instead.
#
# data_portrange = 10000 - 10100


## Access list
# A list of host names, IP addresses or IP subnets (CIDR notation) that
# are permitted to use local SANE devices. IPv6 addresses must be enclosed
# in brackets, and should always be specified in their compressed form.
#
# The hostname matching is not case-sensitive.
192.168.38.6
192.168.37.67
192.168.38.167
#localhost


#scan-client.somedomain.firm
#192.168.0.1
#192.168.0.1/29
#[2001:db8:185e::42:12]
#[2001:db8:185e::42:12]/64

# NOTE: /etc/inetd.conf (or /etc/xinetd.conf) and
# /etc/services must also be properly configured to start
# the saned daemon as documented in saned(8), services(4)
# and inetd.conf(4) (or xinetd.conf(5)).
b)
Code:
● saned.socket - saned incoming socket
   Loaded: loaded (/etc/systemd/system/saned.socket; enabled; vendor preset: enabled)
   Active: active (listening) since Thu 2018-02-22 10:47:08 CET; 1 weeks 6 days ago
   Listen: [::]:6566 (Stream)
 Accepted: 3; Connected: 0

Warning: Journal has been rotated since unit was started. Log output is incomplete or unavailable.

3)
Code:
No scanners were identified. If you were expecting something different,
check that the scanner is plugged in, turned on and detected by the
sane-find-scanner tool (if appropriate). Please read the documentation
which came with this software (README, FAQ, manpages).

Last edited by burkina76; 03-08-2018 at 01:15 AM.
 
Old 03-08-2018, 02:11 AM   #4
ferrari
LQ Guru
 
Registered: Sep 2003
Location: Auckland, NZ
Distribution: openSUSE Leap
Posts: 5,779

Rep: Reputation: 1139Reputation: 1139Reputation: 1139Reputation: 1139Reputation: 1139Reputation: 1139Reputation: 1139Reputation: 1139Reputation: 1139
I meant to ask you about the scanner model being shared. I've read of an issue with sharing HPLIP (hpaio) supported scanners.

https://bbs.archlinux.org/viewtopic.php?id=228071
https://bugs.launchpad.net/hplip/+bug/1268185
https://bugs.launchpad.net/hplip/+bug/1550744

Discard this post if this is not the case of course.
 
Old 03-08-2018, 02:14 AM   #5
burkina76
LQ Newbie
 
Registered: Mar 2018
Posts: 21

Original Poster
Rep: Reputation: Disabled
The scanner is a CanoScan Lide 120, which, of course, works perfectly on the server:

Code:
found USB scanner (vendor=0x04a9 [Canon], product=0x190e [CanoScan], chip=GL848+) at libusb:001:005
Stefano
 
Old 03-08-2018, 03:01 AM   #6
ferrari
LQ Guru
 
Registered: Sep 2003
Location: Auckland, NZ
Distribution: openSUSE Leap
Posts: 5,779

Rep: Reputation: 1139Reputation: 1139Reputation: 1139Reputation: 1139Reputation: 1139Reputation: 1139Reputation: 1139Reputation: 1139Reputation: 1139
Hmmm...the server logging is similar to that described in this Debian bug report. This was found to be due to a configuration issue in /lib/systemd/system/saned\@.service, but I wouldn't expect this to be an issue in Ubuntu 16.04.4 LTS (with sane-backends 1.0.26git). In any case /etc/systemd/system/saned@.service should override it. When you created /etc/systemd/system/saned@.service, did you also do the following afterwards?
Code:
sudo systemctl daemon-reload

Last edited by ferrari; 03-08-2018 at 03:02 AM.
 
Old 03-08-2018, 03:10 AM   #7
burkina76
LQ Newbie
 
Registered: Mar 2018
Posts: 21

Original Poster
Rep: Reputation: Disabled
I already tried that, but nothing changes if I modify the entry in etc/systemd/system/saned@.service from 'socket' to 'null' (and viceversa), restarting the daemon each time (sudo systemctl daemon-reload):

Code:
[Unit]
Description=Scanner Service
Requires=saned.socket

[Service]
ExecStart=/usr/sbin/saned
User=saned
Group=saned
StandardInput=socket
#StandardInput=null

StandardOutput=syslog
StandardError=syslog

Environment=SANE_CONFIG_DIR=/etc/sane.d
# Environment=SANE_CONFIG_DIR=/etc/sane.d SANE_DEBUG_DLL=255

[Install]
Also=saned.socket
 
Old 03-08-2018, 03:32 AM   #8
ferrari
LQ Guru
 
Registered: Sep 2003
Location: Auckland, NZ
Distribution: openSUSE Leap
Posts: 5,779

Rep: Reputation: 1139Reputation: 1139Reputation: 1139Reputation: 1139Reputation: 1139Reputation: 1139Reputation: 1139Reputation: 1139Reputation: 1139
I note that /etc/systemd/system/saned@.service starts saned as User=saned, Group=saned. After reading this RH bug report I wonder if a udev rule is also needed so that the saned user has the required access to the scanner. (I suppose the 'lp' group could have been in the service unit instead to match the existing udev rules for local scanner devices.) Just a thought.
 
Old 03-08-2018, 03:39 AM   #9
burkina76
LQ Newbie
 
Registered: Mar 2018
Posts: 21

Original Poster
Rep: Reputation: Disabled
Already have the udev rule, created in /usr/lib/udev/rules.d/70-saned.rules, as explained in that bug report, but it didn't work...
 
Old 03-08-2018, 03:57 AM   #10
ferrari
LQ Guru
 
Registered: Sep 2003
Location: Auckland, NZ
Distribution: openSUSE Leap
Posts: 5,779

Rep: Reputation: 1139Reputation: 1139Reputation: 1139Reputation: 1139Reputation: 1139Reputation: 1139Reputation: 1139Reputation: 1139Reputation: 1139
I still feel that this is a permissions problem. What does the following return on the server?
Code:
groups saned
Reference:
https://wiki.debian.org/SaneOverNetw..._Configuration

Also...
Quote:
Test if the server can reach its own saned on localhost

Instead of using the scanner directly, try and access it via the localhost interface. If this doesn't work, it won't work across the network. Due to a bug in udev, it may be necessary to add the saned user to the lp group with this command:

sudo usermod -a -G lp saned

and restart the saned service.
https://help.ubuntu.com/community/Sa...d_on_localhost
 
Old 03-08-2018, 04:00 AM   #11
burkina76
LQ Newbie
 
Registered: Mar 2018
Posts: 21

Original Poster
Rep: Reputation: Disabled
Code:
saned : saned root lp scanner
And yes, the server can access the scanner via localhost (two copies of the scanner are present in this case).
I feel that the problem may be in the fact that the request for access comes from 'localhost' instead of the IP of the client machine, as shown by the log in my first post. This doesn't seem to me logic, but I may be wrong.
 
Old 03-10-2018, 03:03 AM   #12
ferrari
LQ Guru
 
Registered: Sep 2003
Location: Auckland, NZ
Distribution: openSUSE Leap
Posts: 5,779

Rep: Reputation: 1139Reputation: 1139Reputation: 1139Reputation: 1139Reputation: 1139Reputation: 1139Reputation: 1139Reputation: 1139Reputation: 1139
I finally found time to set up remote scanning today, and now have it working. I haven't been able to replicate the issue you're having here. I'm using sane-backends 1.0.27 (openSUSE Leap 42.3), and found from reading 'man saned' that I needed to use /etc/systemd/system/sane@.service like this....

Code:
[Unit]
Description=Scanner Service
Requires=saned.socket

[Service]
ExecStart=/usr/sbin/saned
User=saned
Group=lp
StandardInput=socket
Environment=SANE_CONFIG_DIR=/etc/sane.d
# If you need to debug your configuration uncomment the next line and
#  change it as appropriate to set the desired debug options
# Environment=SANE_DEBUG_DLL=255 SANE_DEBUG_BJNP=5

[Install]
Also=saned.socket
*The 'saned' group doesn't exist in this distro and the 'lp' group makes better sense (for local scanners) anyway. I also had to use 'StandardInput=socket' as I don't appear to have saned compiled with systemd support.

I can trigger saned on the host with telnet...
Code:
telnet 192.168.1.12 6566
Trying 192.168.1.12...
Connected to 192.168.1.12.
Escape character is '^]'.
The open port can be verified from the client...
Code:
# nmap -p 6566 192.168.1.12

Starting Nmap 6.47 ( http://nmap.org ) at 2018-03-10 21:55 NZDT
Nmap scan report for linux-54cw (192.168.1.12)
Host is up (0.11s latency).
PORT     STATE SERVICE
6566/tcp open  sane-port
MAC Address: 20:68:9D:8B:3C:2E (Liteon Technology)

Nmap done: 1 IP address (1 host up) scanned in 0.50 seconds
and I can scan remotely using
Code:
xsane net:192.168.1.12
The host logging looks like this...
Code:
Mar 10 21:14:00 linux-54cw saned[3681]: saned (AF-indep+IPv6) from sane-backends 1.0.27 starting up
Mar 10 21:14:00 linux-54cw saned[3681]: check_host: access by remote host: ::ffff:192.168.1.8
Mar 10 21:14:00 linux-54cw saned[3681]: init: access granted to dean@::ffff:192.168.1.8
 
Old 03-10-2018, 10:39 AM   #13
burkina76
LQ Newbie
 
Registered: Mar 2018
Posts: 21

Original Poster
Rep: Reputation: Disabled
Thank you so much for trying to solve this. The 'funny' thing is that I also made it work some time ago on my older PC, and it worked immediately with no issues...

So, I double-checked what you did.

The only difference between your configuration file and mine was the 'lp' group: I changed that, restarted the daemon, but still no success.

This is what I get with telnet:

Code:
Trying 192.168.37.139...
Connected to 192.168.37.139.
Escape character is '^]'.
Connection closed by foreign host.
This is what I get from the client:
Code:
nmap -p 6566 192.168.37.139

Starting Nmap 7.40 ( https://nmap.org ) at 2018-03-10 17:35 CET
Nmap scan report for 192.168.37.139
Host is up (0.00056s latency).
PORT     STATE SERVICE
6566/tcp open  sane-port

Nmap done: 1 IP address (1 host up) scanned in 0.13 seconds
But, when I try

Code:
xsane net:192.168.37.139
I get: "Failed to open device `net:192.68.37.139' Error during device I/O"

and the host log is the same I posted in my first post:

Code:
Mar 10 17:30:04 zelenka saned[12166]: check_host: access by remote host: localhost
Mar 10 17:30:04 zelenka saned[12166]: init: access by host localhost denied
Mar 10 17:30:04 zelenka saned[12166]: saned exiting
 
Old 03-10-2018, 03:32 PM   #14
ferrari
LQ Guru
 
Registered: Sep 2003
Location: Auckland, NZ
Distribution: openSUSE Leap
Posts: 5,779

Rep: Reputation: 1139Reputation: 1139Reputation: 1139Reputation: 1139Reputation: 1139Reputation: 1139Reputation: 1139Reputation: 1139Reputation: 1139
It is apparent that saned.socket is working ok at least. I think the communication between saned and the input stream is where the problem lies, and the symptoms (localhost reported) do match that outlined in the Debian bug report. I'm not certain that your saned (from sane-backends) is compiled with systemd support.

All that you need to configure this service is described in
Code:
man saned
 
Old 03-10-2018, 04:50 PM   #15
ferrari
LQ Guru
 
Registered: Sep 2003
Location: Auckland, NZ
Distribution: openSUSE Leap
Posts: 5,779

Rep: Reputation: 1139Reputation: 1139Reputation: 1139Reputation: 1139Reputation: 1139Reputation: 1139Reputation: 1139Reputation: 1139Reputation: 1139
A bit more testing....if I attempt to use 'StandardInput=null' in saned@.service, and
Code:
systemctl deamon-reload
then from the client I do
Code:
telnet 192.168.1.12 6566
and get
Code:
Trying 192.168.1.12...
Connected to 192.168.1.12.
Escape character is '^]'.
Connection closed by foreign host.
while the following is then reported on the saned host
Code:
Mar 11 11:36:19 linux-54cw saned[3347]: saned (AF-indep+IPv6) from sane-backends 1.0.27 starting up
Mar 11 11:36:19 linux-54cw saned[3347]: check_host: access by remote host: localhost
Mar 11 11:36:19 linux-54cw saned[3347]: init: bad status=22 or procnum=0
Mar 11 11:36:19 linux-54cw saned[3347]: saned exiting
I've reverted back to 'StandardInput=socket' and it behaves as expected again
Code:
Mar 11 11:48:38 linux-54cw systemd[1]: Started Scanner Service (192.168.1.8:52372).
Mar 11 11:48:38 linux-54cw saned[3917]: saned (AF-indep+IPv6) from sane-backends 1.0.27 starting up
Mar 11 11:48:38 linux-54cw saned[3917]: check_host: access by remote host: ::ffff:192.168.1.8
Mar 11 11:48:38 linux-54cw saned[3917]: init: access granted to dean@::ffff:192.168.1.8
 
  


Reply


Thread Tools Search this Thread
Search this Thread:

Advanced Search

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is Off
HTML code is Off



Similar Threads
Thread Thread Starter Forum Replies Last Post
NFS server denies access Curunir Linux - Networking 6 06-17-2016 01:05 PM
SELinux denies access - Can't send my first email ElijahDaniel Linux - Security 2 12-17-2007 01:48 AM
squid denies access to clients Ronin_tekorei Linux - Server 9 05-11-2007 09:35 PM
ripperX denies me access to CD Drive d00bid00b Linux - Software 10 04-30-2006 03:34 PM
in.rsdh denies access to root sylliaad Linux - Security 2 07-13-2005 06:23 PM

LinuxQuestions.org > Forums > Linux Forums > Linux - Networking

All times are GMT -5. The time now is 03:35 PM.

Main Menu
Advertisement
My LQ
Write for LQ
LinuxQuestions.org is looking for people interested in writing Editorials, Articles, Reviews, and more. If you'd like to contribute content, let us know.
Main Menu
Syndicate
RSS1  Latest Threads
RSS1  LQ News
Twitter: @linuxquestions
Open Source Consulting | Domain Registration