Creating a File and Print Server

[ichase]

This is strange. Now that I have the server set up so access via SSH is successful, I decided to set it up on my desktop computer also running Arch. I set up the rc.conf, sshd.conf, hostname, hosts, and stopped and restarted sshd, but when I try to access it, I keep getting no route to host.

I can't even ping it with the IP address I gave it in rc.conf? Of course I can ping and access the server via ssh with no problem.

[securitybreach]

I am at my cousins house till this afternoon but I will look into it then. Double check your configuration as it sounds as though you are not entering the right 192.168.0.x address.

[ichase]

I started thinking the issue was the fact that the desktop is up on Wifi. I did change the interface in rc.conf from eth0 to wlan1 but there may be some other settings affected due to it being on wifi.

[securitybreach]

It should not matter if you are using wifi or ethernet as long as you have a static ip. You can use a dynamic IP but you will have to check if it has changed.

 

After you changed your rc.conf file did you restart the network daemon? Also, check your /etc/resolv.conf file. It should show:

nameserver 192.168.0.1

 

Did you make sure to use a static ip address? Otherwise the ip may have changed. Also, can you post these files:

/etc/hosts

/etc/hosts.allow

/etc/rc.conf

.etc/ssh/sshd.conf

[ichase]

Josh,

As requested, thanks for looking

 

etc/hosts

#
# /etc/hosts: static lookup table for host names
#

#<ip-address>   <hostname.domain.org>   <hostname>
127.0.0.1			   FrankenstIAN	localhost
::1					 FrankenstIAN	localhost

# End of file

 

/etc/hosts.allow

#
# /etc/hosts.allow
#

# End of file

 

/etc/rc.conf

# /etc/rc.conf - configuration file for initscripts
#
# Most of rc.conf has been replaced by various other configuration
# files. See archlinux(7) for details.
#
# For more details on rc.conf see rc.conf(5).
#

DAEMONS=(hwclock syslog-ng dbus !network !net-profiles sshd netfs crond@alsa @tor @wicd)

# Storage
#
# USEDMRAID="no"
# USELVM="no"

# Network
#
interface=wlan1
address=192.168.0.19
netmask=255.255.255.0
broadcast=192.168.0.255
gateway=192.168.0.1

 

/etc/ssh/sshd_config

#	$OpenBSD: sshd_config,v 1.87 2012/07/10 02:19:15 djm Exp $

# This is the sshd server system-wide configuration file.  See
# sshd_config(5) for more information.

# This sshd was compiled with PATH=/usr/bin:/bin:/usr/sbin:/sbin

# The strategy used for options in the default sshd_config shipped with
# OpenSSH is to specify options with their default value where
# possible, but leave them commented.  Uncommented options override the
# default value.

Port 5555
#AddressFamily any
ListenAddress 0.0.0.0
#ListenAddress ::

# The default requires explicit activation of protocol 1
Protocol 2

# HostKey for protocol version 1
#HostKey /etc/ssh/ssh_host_key
# HostKeys for protocol version 2
#HostKey /etc/ssh/ssh_host_rsa_key
#HostKey /etc/ssh/ssh_host_dsa_key
#HostKey /etc/ssh/ssh_host_ecdsa_key

# Lifetime and size of ephemeral version 1 server key
#KeyRegenerationInterval 1h
#ServerKeyBits 1024

# Logging
# obsoletes QuietMode and FascistLogging
#SyslogFacility AUTH
#LogLevel INFO

# Authentication:

#LoginGraceTime 2m
PermitRootLogin yes
#StrictModes yes
#MaxAuthTries 6
#MaxSessions 10

#RSAAuthentication yes
#PubkeyAuthentication yes

# The default is to check both .ssh/authorized_keys and .ssh/authorized_keys2
# but this is overridden so installations will only check .ssh/authorized_keys
AuthorizedKeysFile	.ssh/authorized_keys

#AuthorizedPrincipalsFile none

# For this to work you will also need host keys in /etc/ssh/ssh_known_hosts
#RhostsRSAAuthentication no
# similar for protocol version 2
#HostbasedAuthentication no
# Change to yes if you don't trust ~/.ssh/known_hosts for
# RhostsRSAAuthentication and HostbasedAuthentication
#IgnoreUserKnownHosts no
# Don't read the user's ~/.rhosts and ~/.shosts files
#IgnoreRhosts yes

# To disable tunneled clear text passwords, change to no here!
#PasswordAuthentication yes
#PermitEmptyPasswords no

# Change to no to disable s/key passwords
ChallengeResponseAuthentication no

# Kerberos options
#KerberosAuthentication no
#KerberosOrLocalPasswd yes
#KerberosTicketCleanup yes
#KerberosGetAFSToken no

# GSSAPI options
#GSSAPIAuthentication no
#GSSAPICleanupCredentials yes

# Set this to 'yes' to enable PAM authentication, account processing,
# and session processing. If this is enabled, PAM authentication will
# be allowed through the ChallengeResponseAuthentication and
# PasswordAuthentication.  Depending on your PAM configuration,
# PAM authentication via ChallengeResponseAuthentication may bypass
# the setting of "PermitRootLogin without-password".
# If you just want the PAM account and session checks to run without
# PAM authentication, then enable this but set PasswordAuthentication
# and ChallengeResponseAuthentication to 'no'.
UsePAM yes

#AllowAgentForwarding yes
#AllowTcpForwarding yes
#GatewayPorts no
#X11Forwarding no
#X11DisplayOffset 10
#X11UseLocalhost yes
#PrintMotd yes
#PrintLastLog yes
#TCPKeepAlive yes
#UseLogin no
UsePrivilegeSeparation sandbox		# Default for new installations.
#PermitUserEnvironment no
#Compression delayed
#ClientAliveInterval 0
#ClientAliveCountMax 3
#UseDNS yes
#PidFile /run/sshd.pid
#MaxStartups 10
#PermitTunnel no
#ChrootDirectory none
#VersionAddendum none

# no default banner path
Banner /etc/issue

# override default of no subsystems
Subsystem	sftp	/usr/lib/ssh/sftp-server

# Example of overriding settings on a per-user basis
#Match User anoncvs
#	X11Forwarding no
#	AllowTcpForwarding no
#	ForceCommand cvs server

 

/etc/resolv.conf

# Generated by dhcpcd from wlan1
# /etc/resolv.conf.head can replace this line
domain hr.cox.net
nameserver 192.168.0.1
# /etc/resolv.conf.tail can replace this line

 

What is the /etc/hosts.allow? My server does not even have this file and the one on the desktop is commented out. Seems like a useless file?

Edited October 15, 2012 by ichase

[securitybreach]

/etc/hosts.allow and hosts.deny work as a pair to control access to your server. If both files are empty there are no limits and anybody at any ip address can, for example, try guessing userids & passwords all day long. Hosts.allow is read first and if the packet just received matches one of its rules it is let to pass.

 

The only difference I see is your /etc/resolv.conf file. Try commenting out (put a # in front of) domain.hr.cox.net.

 

Here is my /etc/resolv.conf file:

╔═ comhack@Cerberus 05:16 PM
╚═══ ~-> cat /etc/resolv.conf
nameserver 192.168.1.1

[ichase]

Well my resolv.conf is the same on the server

# Generated by dhcpcd from eth0
# /etc/resolv.conf.head can replace this line
domain hr.cox.net
nameserver 192.168.0.1
# /etc/resolv.conf.tail can replace this line

[securitybreach]

Has the Ip changed since you are using dhcp?

[securitybreach]

Also, I have this commented out on my /etc/ssh/sshd_config:

UsePrivilegeSeparation sandbox           #Default for new installations.

[securitybreach]

See:

╔═ comhack@Cerberus 05:35 PM
╚═══ ~-> cat /etc/ssh/sshd_config | grep UsePrivilegeSeparation
#UsePrivilegeSeparation yes

[securitybreach]

Also remember to restart sshd after you make the changes:

# systemctl restart sshd.service

[ichase]

Confused again. I thought by uncommenting the network section of your rc.conf and adding the static IP, you are no longer using dhcp?

[securitybreach]

Sorry, I was going by your post here without thinking about what you said you did:

# Generated by dhcpcd from eth0

# /etc/resolv.conf.head can replace this line

domain hr.cox.net

nameserver 192.168.0.1

# /etc/resolv.conf.tail can replace this line

 

Just in case, check your ip address.

 

Using the ifconfig command.

[securitybreach]

If the ip address is correct, try adding the info to your Port Forwarding section of your router like I showed above. If you do not know how just give me the model number of your router and I find you the directions.

 

Although, you should be able to ping it regardless hence why I asked if the IP address was correct.

[ichase]

Strange, ifconfig states inet is 192.168.0.110 not the static IP I provided in rc.conf

wlan1: flags=4163<UP,BROADCAST,RUNNING,MULTICAST>  mtu 1500
   [b] inet 192.168.0.110  [/b]netmask 255.255.255.0  broadcast 192.168.0.255
    inet6 fe80::2c0:caff:fe4a:e0fe  prefixlen 64  scopeid 0x20<link>
    ether 00:c0:ca:4a:e0:fe  txqueuelen 1000  (Ethernet)
    RX packets 99833  bytes 50336576 (48.0 MiB)
    RX errors 0  dropped 18  overruns 0  frame 0
    TX packets 23249  bytes 3667005 (3.4 MiB)
    TX errors 0  dropped 0 overruns 0  carrier 0  collisions 0

[securitybreach]

Here is my revelant section of rc.conf for you to compare:

# HOSTNAME: Hostname of machine. Should also be put in /etc/hosts
#
HOSTNAME="Cerberus"

# Use 'ip addr' or 'ls /sys/class/net/' to see all available interfaces.
#
# Wired network setup
#   - interface: name of device (required)
#   - address: IP address (leave blank for DHCP)
#   - netmask: subnet mask (ignored for DHCP) (optional, defaults to 255.255.255.0)
#   - broadcast: broadcast address (ignored for DHCP) (optional)
#   - gateway: default route (ignored for DHCP)
# 
# Static IP example
# interface=eth0
# address=192.168.0.2
# netmask=255.255.255.0
# broadcast=192.168.0.255
# gateway=192.168.0.1
#
# DHCP example
# interface=eth0
# address=
# netmask=
# gateway=

interface=eth0
address=192.168.1.2
netmask=255.255.255.0
broadcast=192.168.1.254
gateway=192.168.1.1

# Setting this to "yes" will skip network shutdown.
# This is required if your root device is on NFS.
NETWORK_PERSIST="no"

# Enable these netcfg profiles at boot-up. These are useful if you happen to
# need more advanced network features than the simple network service
# supports, such as multiple network configurations (ie, laptop users)
#   - set to 'menu' to present a menu during boot-up (dialog package required)
#   - prefix an entry with a ! to disable it
#
# Network profiles are found in /etc/network.d
#
# This requires the netcfg package
#
#NETWORKS=(main)

 

Also, read through this: https://wiki.archlinux.org/index.php/Autowifi

[ichase]

Greetings all, been a few days since I have posted. Have been doing a lot of reading (most contradicting each other) and trying to weed through what is good info and not so good info. I am at the point now of trying to get all of the computers on the network to see my server and be able to read/write to my storage drive. Here is the strange thing. As of right now, I see HOMESERVER/storage in the Network from Windows but it is recognizing it as a printer. I have my printer settings and my storage drive settings set individually in my smb.conf:

[root@HomeServer ichase]# cat /etc/samba/smb.conf
#======================= Global Settings =====================================
[global]

  workgroup = WORKGROUP

  server string = Samba Server

  security = user

  hosts allow = 192.168.0. 192.168.1. 192.168.2. 127.

  load printers = yes

;   printcap name = /etc/printcap

;   printcap name = lpstat

;   printing = cups

guest account = nobody

  log file = /var/log/samba/%m.log

  max log size = 50

# These scripts are used on a domain controller or stand-alone
# machine to add or delete corresponding unix accounts
;  add user script = /usr/sbin/useradd %u
;  add group script = /usr/sbin/groupadd %g
;  add machine script = /usr/sbin/adduser -n -g machines -c Machine -d /dev/null -s /bin/false %u
;  delete user script = /usr/sbin/userdel %u
;  delete user from group script = /usr/sbin/deluser %u %g
;  delete group script = /usr/sbin/groupdel %g


#============================ Share Definitions ==============================
;[homes]
;   comment = Home Directories
;   browseable = no
;   writable = yes

;[Profiles]
;	path = /usr/local/samba/profiles
;	browseable = no
;	guest ok = yes

[storage]
  comment = Home Data Storage
  path = /home/storage
  valid users = user user user
  public = yes
  writable = yes
  printable = yes
  create mask = 0777
  directory mask = 0777

[printers]
  comment = All Printers
  path = /var/spool/samba
  browseable = yes
  Set public = yes
  guest ok = yes
  writable = yes
  printable = yes

I have checked out and have installed webmin and swat and to be honest with you, it's seems easier to just write the config file from scratch.

 

Now here is the kicker. In Windows, I can see this printer and add it as a network printer setting it as default. When I go into MS Word, create a simple document called test and try to print, it says it is spooling and gives no errors. But when I check the print queue there is nothing there. Now, and bare with me because I am really trying to get my head wrapped around all of this, do I need to configure CUPS so that /var/spool/samba sends the info to the physical printer? Does CUPS assist in printing from Windows?

 

I already see one error in my smb.conf file that needs to be fixed and it is probably the reason (most likely DEFINITELY the reason) why /home/storage does not show on my network because I forgot to add browsable = yes under [storage]

 

So I am making baby steps and I think I am real close. I am trying to get SAMBA working properly and have not had the time to delve into learning how to configure CUPS which I am thinking I need to do before I can print anything.

 

Also, in Thunar under Network, I don't see my server at all on either of my Linux computers?

 

This has been a learning experience no doubt and also VERY fustrating as well. I do feel like I am close or that just may be wishful thinking.

 

All the best,

 

Ian

Edited October 23, 2012 by ichase

[Guest LilBambi]

[Storage]

comment = Home Data Storage

path = /home/storage

valid users = user user user

public = yes

writable = yes

printable = yes

create mask = 0777

 

directory mask = 0777

 

Maybe try changing printable = no

 

that doesn't look like a setting for storage does it?

[ichase]

Hey Fran, hope all is well

I think you are right, I may just get rid of that line all together. Like I said, I have read so many different tutorials on SAMBA all in which are some what different. Then you have to be careful to make sure you are reading the right ones as Pre SAMBA v3 ran off of inet.d and post SAMBA v3 (which I am running) runs of of xinetd.

I have learned a ton so far and certainly have much more to learn. My goal is to be able to speak educated about SAMBA when this is all said and done. Need to get the basics out of the way then I can get into user groups, tighter security etc. Baby steps.

[securitybreach]

Why did you just not follow the Archwiki entries for Samba and CUPS?

 

https://wiki.archlin.../index.php/CUPS

https://wiki.archlin...index.php/Samba

 

Or did you run into some issues?

[ichase]

I have the CUPS wiki printed out and that looks fairly cut and dry but I had a tough time following the SAMBA wiki and have looked else where. I love the Arch Wikis but at least for me, some of them are geared towards your power users and I believe I have a LONG way to go before I am a power user of Arch. But up to this point it is the one Linux OS I am most comfortable with. Ubuntu has some decent stuff on SAMBA and it is pretty much what I have been following up to this point. I also been reading Samba3 by Example from Samba.org but at 638 pages, there is a lot to weed through. I'm getting there and learning a bunch in the process. Once I get the light bulb to go off over my head (which is actually pretty close) I will be delving into more of the details. Got to crawl before you learn to walk and that has always been my biggest problem. Wanting to RUN FIRST!!!

[securitybreach]

Well Cups has a ton of options that you would probably not need anyway. I think getting a minimal setup would be easier to begin with, then you can move on to the endless options after that. At least that is how I usually tackle things like this. Also, most of the stuff on the wiki page for Cups will not be needed for your setup.

 

Basically you only need to install libcups, then add the server ip to /etc/cups/client.conf. Then you need to install the various cups' packages and possibly a driver if the kernel does not already have it built in. Then start cups and add it to your daemons line or autostart with sysctl. Lastly, you can configure the sharing and such via the browser page: http://localhost:631/

 

A lot of that page is just for troubleshooting as there are only 4 main steps.

 

Once you get cups up and running fine, then you can dabble with Samba to get windows to see the printer. Also, I still think NFS will be much easier to setup than Samba.

[ichase]

Localhost only works if you are working directly at the server. I have tried EVERYTHING I can come up with to hit the cups web interface with no luck what so ever.

I have updated cupsd.conf to allow all, allow the IP of the laptop I am working from in all 3 location areas of the conf file.

I have replaced the line: Listen localhost:631 to port 631

I have attempted to connect with http://homeserver:631 http://192.168.X.X:631 still no joy.

I have even tried an ssh tunnel to forward the port to 631 with

ssh -L8000:localhost:631 ichase@192.168.X.X 

This asked for the password and I entered it but still not joy. Going back to terminal showed this:

[root@archbox ichase]# ssh -L8000:localhost:631 ichase@192.168.0.XXX
The authenticity of host '192.168.0.XXX (192.168.0.XXX)' can't be established.
ECDSA key fingerprint is 2a:79:22:a0:6d:4f:c8:fa:8c:e8:2a:a4:5a:21:9c:1a.
Are you sure you want to continue connecting (yes/no)? yes
Warning: Permanently added '192.168.0.XXX' (ECDSA) to the list of known hosts.
ichase@192.168.0.XXX's password:
Last login: Wed Oct 17 09:53:06 2012
[18:33:27 ichase@~]$ channel 3: open failed: connect failed: Connection refused
channel 3: open failed: connect failed: Connection refused

And when I attempt to connect with http://localhost:8000/ it still won't connect.

 

BUT....The storage hard drive is completely accessable on all of my Windows computers with read/write but when I open Thunar and click on the Network icon, it's not there??????

 

Times like this when Eric's nuke button sounds like an option.

[securitybreach]

Thunar has issues with FAM and remote file access. If you experience remote folders not displaying, getting kicked back to the home directory, or other remote file access issues through Thunar, replace fam with gamin. Gamin is derived from fam.

# pacman -S gamin

# nano /etc/rc.conf #remove fam in daemons

https://wiki.archlin.../Sshfs#Mounting

 

Also, that page will show you how to mount drives over ssh using sshfs.

[ichase]

Thanks Josh,

Will have to look to see if I have gamin installed or not. I know it's not in my daemons list in rc.conf but fam is not there either. Seems like an easy fix.

 

Now, do you have any other ideas on how I can hit the cups web interface beyond what I have already tried thus far. One thing I forgot to mention, read in a thread where bringing lo up fixed the problem for one guy, tried that with no joy.

[securitybreach]

Look here: http://askubuntu.com...e-web-interface

 

All I had to do was add "Allow all" to to the access to the server and the admin pages so that my configuration now looked like:...

[ichase]

Everything he mentions in his page I have tried. Now I may need to try the https vice http not sure if I have tried that or not. But I have Allow all on all of my location parameters, even have allow my remote ip on each line as well. Changed Listen localhost:631 to port 631. Have tried port tunneling via ssh and still have no connection to the cups web interface.

 

It's fustrating because I am not getting any kind of error that would point me in a direction. Pretty much everything that was stated in the link you provided is also provided in the CUPS wiki. It should work and it's quite fustrating that it is not. The https is the only thing I can not say for sure I have tried. So that is worth a try. If that fails and I am going to have to drop back 10 yards and punt.

 

As always, thank you for your patience Josh. I am sure sometimes you want to reach through the screen and wack me in the head. Though I would be careful as it is aparent that I am very hard headed.

[securitybreach]

As always, thank you for your patience Josh. I am sure sometimes you want to reach through the screen and wack me in the head. Though I would be careful as it is aparent that I am very hard headed.

 

Not at all, I enjoy helping people especially if they are trying to help themselves as well.

[ichase]

WOw, the one thing I did not try fixed the issue. https vice http. I don't know why I did not try that before.

 

Now we start configuring the shared printer. Onward and upward.

[securitybreach]

Excellent!!!