View previous topic :: View next topic |
Author |
Message |
eliddell n00b
Joined: 16 Nov 2004 Posts: 36
|
Posted: Sun Jul 04, 2021 8:04 pm Post subject: [SOLVED]saned refusing to share with anyone except localhost |
|
|
I'm trying to share a scanner over my LAN. The problem is that it won't show up for anyone except localhost, even though saned is running and the port is open.
Background: The scanner is a Canon LiDE 200. It's been tested and works under SANE (genesys backend). It's hooked up to a Raspberry Pi with IP 192.168.1.51, running Gentoo with sane-backends-1.0.31-r2. The client machine that can't see the scanner is an AMD64-based desktop, IP 192.168.1.55, also running Gentoo and sane-backends-1.0.31-r2. Both machines have the genesys and net sane backends installed. (Both are also OpenRC, for what it's worth.)
The Pi knows the scanner is there, and even shows it as a network device (sort of):
Code: | ~ # scanimage -L
device `genesys:libusb:001:004' is a Canon LiDE 200 flatbed scanner
device `net:localhost:genesys:libusb:001:004' is a Canon LiDE 200 flatbed scanner |
The Pi has an open saned port:
Code: | Nmap scan report for 192.168.1.51
Host is up (0.0024s latency).
Not shown: 998 closed ports
PORT STATE SERVICE
22/tcp open ssh
6566/tcp open sane-port
MAC Address: B8:27:EB:CA:C5:8E (Raspberry Pi Foundation) |
The desktop, however, can't see the scanner:
Code: | ~ # scanimage -L
No scanners were identified. [...] |
The saned config file on the Pi indicates that the scanner should be exposed two or three times over:
Code: | ~ # cat /etc/sane.d/saned.conf
# saned.conf
# Configuration for the saned daemon
## Daemon options
# Port range for the data connection. Choose a range inside [1024 - 65535].
# Avoid specifying too large a range, for performance reasons.
#
# ONLY use this if your saned server is sitting behind a firewall. If your
# firewall is a Linux machine, we strongly recommend using the
# Netfilter nf_conntrack_sane connection tracking module instead.
#
# data_portrange = 10000 - 10100
## Access list
# A list of host names, IP addresses or IP subnets (CIDR notation) that
# are permitted to use local SANE devices. IPv6 addresses must be enclosed
# in brackets, and should always be specified in their compressed form.
#
# The hostname matching is not case-sensitive.
192.168.1.55
192.168.1.51
192.168.1.52
192.168.1.1/24
localhost
|
The sane net config file on the desktop indicates that it should be able to find it:
Code: | ~ # cat /etc/sane.d/net.conf
# This is the net backend config file.
## net backend options
# Timeout for the initial connection to saned. This will prevent the backend
# from blocking for several minutes trying to connect to an unresponsive
# saned host (network outage, host down, ...). Value in seconds.
connect_timeout = 60
## saned hosts
# Each line names a host to attach to.
# If you list "localhost" then your backends can be accessed either
# directly or through the net backend. Going through the net backend
# may be necessary to access devices that need special privileges.
# localhost
192.168.1.51 |
Since the scanner is visible through the net backend on localhost (the Pi), this looks like a missing setting or permission rather than an absolute breakage, but I'm not sure what it is or how to go about changing it.
Last edited by eliddell on Sun Jul 11, 2021 7:12 pm; edited 1 time in total |
|
Back to top |
|
|
Jaglover Watchman
Joined: 29 May 2005 Posts: 8291 Location: Saint Amant, Acadiana
|
|
Back to top |
|
|
wwdev16 n00b
Joined: 29 Aug 2018 Posts: 52
|
Posted: Sun Jul 04, 2021 8:37 pm Post subject: |
|
|
Are there any logs from saned? issues w/ firewall rules server/client? saned restart after config changes?
tcpdump on the server for the port will show if the server even attempts to reply.
The 'special privileges' comment suggests the saned account might need to be in certain groups
such as usb.
Your scanimage results are reporting availability from localhost. Does ss -utanlp | grep 6566
show that saned is listening on multiple addresses or the wildcard address?. It should be if your nmap
scan was done from the client. |
|
Back to top |
|
|
eliddell n00b
Joined: 16 Nov 2004 Posts: 36
|
Posted: Mon Jul 05, 2021 1:57 am Post subject: |
|
|
@Jaglover: The server's IP is referenced in the client /etc/sane.d/net.conf I reproduced in the original post. By my understanding, this should be sufficient for scanimage and other SANE tools to be able to find the scanner. It works for "localhost" in the same context on the server.
I've also tried referencing the scanner by what should be its absolute address: "net:192.168.1.51:genesys:libusb:001:004". That doesn't work either.
@wwdev16: No firewall on either machine, and sshd worked without my having to do anything special in terms of opening ports etc. saned was restarted after each config change. The saned user is in the scanner and usb groups—I'm not sure what others would be useful.
The nmap scan was indeed performed from the client. ss -utanlp | grep 6566 on the server generates:
Code: | tcp LISTEN 0 1 *:6566 *:* users:(("saned",pid=3768,fd=3)) |
I don't have tcpdump installed, and saned doesn't appear to log anything anywhere. It does have a debug mode, which I suppose if my next step if no one can see anything obvious that I missed. |
|
Back to top |
|
|
figueroa Advocate
Joined: 14 Aug 2005 Posts: 2963 Location: Edge of marsh USA
|
Posted: Mon Jul 05, 2021 3:08 am Post subject: |
|
|
saned.conf you just need 192.168.1.0/24 (note 0 not 1 but not sure it matters).
My net.conf contains:
Code: | localhost
192.168.0.204 |
where 192.168.0.204 is the IP of a network scanner and localhost allows the sharing of a connected USB scanner.
It's not necessarily intuitive but it's working here. saned service has to be running on host, but not client. _________________ Andy Figueroa
hp pavilion hpe h8-1260t/2AB5; spinning rust x3
i7-2600 @ 3.40GHz; 16 gb; Radeon HD 7570
amd64/23.0/split-usr/desktop (stable), OpenRC, -systemd -pulseaudio -uefi |
|
Back to top |
|
|
Jaglover Watchman
Joined: 29 May 2005 Posts: 8291 Location: Saint Amant, Acadiana
|
|
Back to top |
|
|
eliddell n00b
Joined: 16 Nov 2004 Posts: 36
|
Posted: Mon Jul 05, 2021 9:33 pm Post subject: |
|
|
@figueroa: 192.168.1.0/24 should be correct for my case, because all the devices on my LAN are 192.168.1.x and the /24 represents a mask of 255.255.255.0. saned is naturally running on the server, which has the scanner attached.
@Jaglover: SSH works from the desktop, yes. (The server is headless, so all access goes through SSH.) |
|
Back to top |
|
|
Jaglover Watchman
Joined: 29 May 2005 Posts: 8291 Location: Saint Amant, Acadiana
|
|
Back to top |
|
|
eliddell n00b
Joined: 16 Nov 2004 Posts: 36
|
Posted: Tue Jul 06, 2021 1:47 am Post subject: |
|
|
@Jaglover: I should have thought of that.
putty gives me the ever-helpful "connection reset by peer" if I try to open a plain telnet session to that port on the server. Since it's not "connection refused", I gather that saned can hear me but doesn't want to talk. |
|
Back to top |
|
|
Jaglover Watchman
Joined: 29 May 2005 Posts: 8291 Location: Saint Amant, Acadiana
|
|
Back to top |
|
|
eliddell n00b
Joined: 16 Nov 2004 Posts: 36
|
Posted: Wed Jul 07, 2021 2:08 am Post subject: |
|
|
By my understanding, it shouldn't matter what's in the last octet for a /24, but I altered it anyway just in case there was a buggy implementation involved, and restarted saned. No change.
I finally did manage to run the setup in debug mode, though. This confirmed that the client was attempting to reach the server, but something odd is wrong on the server side:
Code: | [22:01:55.563382] [net] connect_dev: trying to connect to 192.168.1.51
[22:01:55.563942] [net] connect_dev: [0] connection succeeded (IPv4)
[22:01:55.563952] [net] connect_dev: sanei_w_init
[22:01:55.564001] [net] connect_dev: net_init (user=eliddell, local version=1.0.3)
[22:01:55.596152] [net] connect_dev: argument marshalling error (Connection reset by peer)
[22:01:55.596162] [net] connect_dev: closing connection to 192.168.1.51 |
I think I'm going to have to take this to the sane mailing lists (or randomly try USE flag combinations and dependency recompiles until the gremlins retreat back into their hole—what fun).
Thanks for trying to help. |
|
Back to top |
|
|
Jaglover Watchman
Joined: 29 May 2005 Posts: 8291 Location: Saint Amant, Acadiana
|
|
Back to top |
|
|
figueroa Advocate
Joined: 14 Aug 2005 Posts: 2963 Location: Edge of marsh USA
|
Posted: Wed Jul 07, 2021 2:49 am Post subject: |
|
|
Code: | grep backends /etc/portage/package.use
media-gfx/sane-backends threads |
and
Code: | [ebuild R ] media-gfx/sane-backends-1.0.31-r2::gentoo USE="ipv6 threads usb v4l zeroconf -gphoto2 -snmp -systemd -xinetd" ABI_X86="(64) -32 (-x32)" SANE_BACKENDS="abaton agfafocus apple artec artec_eplus48u as6e avision bh canon canon630u canon_dr canon_lide70 cardscan coolscan coolscan2 coolscan3 dc210 dc240 dc25 dell1600n_net dmc epjitsu epson epson2 escl fujitsu genesys gt68xx hp hp3500 hp3900 hp4200 hp5400 hp5590 hpljm1005 hs2p ibm kodak kodakaio kvs1025 kvs20xx leo lexmark ma1509 magicolor matsushita microtek microtek2 mustek mustek_usb nec net niash p5 pie pieusb pixma plustek plustek_pp qcam ricoh ricoh2 rts8891 s9036 sceptre sharp sm3600 sm3840 snapscan sp15c st400 stv680 tamarack teco1 teco2 teco3 test u12 umax umax1220u umax_pp xerox_mfp -canon_pp -hpsj5s -kvs40xx -mustek_pp -mustek_usb2 -pnm" |
USE=threads was somewhat new, but I don't remember why. _________________ Andy Figueroa
hp pavilion hpe h8-1260t/2AB5; spinning rust x3
i7-2600 @ 3.40GHz; 16 gb; Radeon HD 7570
amd64/23.0/split-usr/desktop (stable), OpenRC, -systemd -pulseaudio -uefi |
|
Back to top |
|
|
eliddell n00b
Joined: 16 Nov 2004 Posts: 36
|
Posted: Thu Jul 08, 2021 1:57 am Post subject: |
|
|
@Jaglover: No, it's an OpenRC install. I also saw some evidence IPv6 might be conflicting with IPv4. Setting USE="-ipv6" didn't help, though.
@figueroa: If I build with zeroconf on, scanimage -L errors out because of an avahi error (possibly due to dbus, possibly just sheer cussedness). v4l should be irrelevant and drags in otherwise-unused dependencies (since I'm actually building on the Pi, I'm trying to avoid unnecessary packages—it isn't exactly a fast machine, and setting up distcc is the last thing on my mind at the moment). I can try building with threads on, I guess.
So, for my next stupid trick, I'm going to try emerging
Code: | [ebuild R ] media-gfx/sane-backends-1.0.31-r2::gentoo USE="ipv6* threads* usb (-gphoto2) -snmp -systemd -v4l -xinetd -zeroconf" SANE_BACKENDS="genesys net -abaton -agfafocus -apple -artec -artec_eplus48u -as6e -avision -bh -canon -canon630u -canon_dr -canon_lide70 (-canon_pp) -cardscan -coolscan -coolscan2 -coolscan3 -dc210 -dc240 -dc25 -dell1600n_net -dmc -epjitsu -epson -epson2 -escl -fujitsu -gt68xx -hp -hp3500 -hp3900 -hp4200 -hp5400 -hp5590 -hpljm1005 (-hpsj5s) -hs2p -ibm -kodak -kodakaio -kvs1025 -kvs20xx -kvs40xx -leo -lexmark -ma1509 -magicolor -matsushita -microtek -microtek2 -mustek (-mustek_pp) -mustek_usb -mustek_usb2 -nec -niash -p5 -pie -pieusb -pixma -plustek -plustek_pp -pnm (-qcam) -ricoh -ricoh2 -rts8891 -s9036 -sceptre -sharp -sm3600 -sm3840 -snapscan -sp15c -st400 -stv680 -tamarack -teco1 -teco2 -teco3 -test -u12 -umax -umax1220u -umax_pp -xerox_mfp" 0 KiB |
and then try using IPv6 addresses. |
|
Back to top |
|
|
eliddell n00b
Joined: 16 Nov 2004 Posts: 36
|
Posted: Sun Jul 11, 2021 2:11 am Post subject: |
|
|
Okay, I figured out what was going on, more or less: saned won't allow hosts that it can't successfully perform a reverse DNS lookup on to connect, and I hadn't fully populated /etc/hosts on the Pi, since I normally address machines on the LAN by static IP and not hostname.
It's possible that USE=zeroconf or USE=snmp would have mitigated this, but I didn't have either switched on.
I'm not sure whether this behaviour in saned was an attempt at a security feature or merely an oversight; at very least it represents an omission in the documentation.
(That should be enough to exorcise the spirit of https://xkcd.com/979/ ). |
|
Back to top |
|
|
|