Debian Linux file and print server: NFS, CUPS, LPR Print E-mail
Written by machiner   
Tuesday, 05 September 2006 03:34

Setting up a home LAN on Debian sharing directories with Linux clients and your printer to Windows and Linux clients. This tutorial is mostly "noob-friendly". Etch makes this easy. You will be able to print from your LAN clients as well as from a Windows client. As well, you will be sharing directories from your "server" to authorized clients. This tutorial requires only reading comprehension and no necessary amount of pre-existing skill. Should you lack confidence, you can find basic information throughout this site. Don't let some smart-ass kid make you think that you cannot use Debian efficiently and productively.

You can find many excellent tutorials and guides web-wide that address this part of your computing system -- networking, LANs, etc. Most of them will walk you through using Samba but I didn't want that. Because I didn't want Samba I won't be sharing any of the directories on my Linux server to my Windows client**. It's not at all necessary for me, in this environment. It may be for you and Samba may be your bag. You will find a lot of help with this web-wide. I'm using CUPS and NFS here. I have all machines plugged into a router and they can all ping each other. Anyway -- here's what I did to start sharing our printer and directories.

All of the commands and file changes done in this guide are done in a terminal. On my acting "server" x is not installed. If you have x installed (your pretty desktop environment) than you must open a terminal on your server (xterm, gnome-terminal) and become root to accomplish this task. I'm using ssh from my laptop to finish setting up my server after the initial install.

The Hardware

Server

The WAN connection is from Verizon - 3MB down xDSL (pppoe)service that plugs into my router. My server is an old homemade desktop. It's got an Abit NF7-M board with an AMD Athlon 2000+ and a gig of Corsair ram, 333. A strong 450 watt PSU powers it all up, and the air-flow is excellent in its aluminum server case. The HP drives that I buy are always solid, dependable drives. I'm not using SATA on the server, it has an nvidia 5500 agp card and on-board sound, just because there it is anyway... and a fancy Samsung flat-panel -- but all that is fluff. No nvidia driver installed, no peripherals except for the printer plugged in. NO monitor, etc. My server doesn't have to be a powerhouse because all it has to do is share web and printing services and share some directories. I could probably bury it in the cellar and forget about it.

Client 1

My kids' box. Although the hardware is a few years old, this box still gets the job done in a big way. It's a homemade job running Etch and they're wicked spoiled to have it. Man! We used to have to go up the hill, both ways! on our knees..... I don't think they need to screw around at home with lousy hardware/software should they need to use their computer...plus it's got accounts for all of us on it. It's my old desktop: Abit NF7-s board, AMD Athlon 2700+, a gig and 1/2 of Corsair 333 RAM, EVGA 6600GT video with 256MB Ram, solid sound, 500 watt power, blah, blah -- it's an awesome little Debian (Etch) box and I'm glad they have it. It uses a Samsung flat-panel as well, HP drives, Phillips DVD-RW, burns DVDs at 16X. It's not a gamer rig, or new - at all, but it plays Nexuiz with all the fanciness on. We call it "carnage".

Client 2

My new Acer laptop. Nothing fancy - work only. Aspire 5003 wmli. At first I nuked the drive and installed a Debian daily build for AMD64 but I didn't want to chroot the 32bit stuff. It ran fine, though, Debian SMOKED on this laptop. I can't wait for Etch to be the new hotness. In testing during the past few months I have found it to be amazing, I know it's going to run well on this laptop, too. I put a 32bit daily build back on my laptop.

Anyway, that's the hardware. Oh, the printer I'm sharing LAN wide is an HP OfficeJet 7110.

The Setup

Server Side

I am using Debian Etch LAN wide and chose only "standard system" for the install. If you've ever installed Debian before you know that this only takes a few minutes and couldn't be simpler. Using Linux is pure computing joy to me -- it so fits with the way that I like to do things.

After the basic system was installed I went outside and had a smoke -- then my kids came out and we played for hours and had so much fun our faces fell off. Man I love Debian!

When we all came back in we slacked for a few and I got back to work. You gotta have a balance.

The Installed Programs, Server

Before you do anything make sure that your /etc/hosts file on your server box has all the listings for the LAN clients. Your file should resemble this:

me@hostname:~$ cat /etc/hosts
127.0.0.1 localhost hostname
127.0.1.1 hostname.domain hostname
192.168.0.100 hostname.domain
192.168.0.101 hostname.domain
192.168.0.103 hostname.domain

CUPS

# apt-get install portmap nfs-kernel-server cupsys foomatic-filters-ppds lpr printconf

Etch comes with CUPS version 1.2.7 which is configured to share your printer with others on the LAN. The only things that I change in the /etc/cups/cupsd.conf file is to un-comment Encryption Required. I made a server certificate so I like to take advantage. If you don't have one or don't care either way then you're all set from defaults. I also change connections to listen to and which machines on the LAN are allowed admin access to CUPS. You can see from the snippets below that I add my servers IP address to listen on and I add the LAN IP addresses of the computers I want to work from to admin CUPS. See my mods below:

#nano /etc/cups/cupsd.conf

# Only listen for connections from the local machine.
Listen localhost:631
Listen 192.168.1.100
Listen /var/run/cups/cups.sock

<Location /admin>
  Encryption Required
  # Restrict access to the admin pages...
  Order allow,deny
  Allow localhost
Allow 192.168.0.102
Allow 192.168.0.103
</Location>
<Location /admin/conf>
  AuthType Basic
  Require user @SYSTEM
  # Restrict access to the configuration files...
  Order allow,deny
  Allow localhost
Allow 192.168.0.102
Allow 192.168.0.103
</Location>

Save and close the file, then...

#/etc/init.d/cupsys restart

Now you can open your web browser from your regular workstation and goto:https:your.server.domain:631. On the default page of the CUPS web interface check off Share published printers connected to this system.

check show shared printers
Simple checkboxes to config your LAN printer

Then click the add printer button next to the one you have installed on your server that CUPS has recognized. You should go directly to the driver page to make sure that CUPS has chosen the correct one for you. Bam, you're done. Point your browser to your local cups interface now, 127.0.0.1:631, click the Printers tab on top, and you should see your printer there.

Piece of cake. To recap a CUPS LAN install

  • you plug your printer into your server
  • install the programs listed above (on your server)
  • add your machine IP's that are allowed to admin CUPS on your LAN in your cupsd.conf file
  • open your server's CUPS web interface in your browser
  • install the found printer
  • check off "Share..."
  • open your local CUPS interface
  • see your LAN printer
  • rejoice

lpd

Following this I set up lp on the server. Pretty simple, just adding client entries to the /etc/hosts.lpd file.

I had to make the file:

# touch /etc/hosts.lpd

My entries look like this:

hostname.domain
hostname.domain

So, client-1.schloopraughtemous.org

The last file that I changed was the /etc/lpd.perms file. I opened it up and and added the following line:

ACCEPT SERVICE=X REMOTEHOST=</etc/hosts.lpd

The files are configured, save and close and you need to restart services now -- so:

# etc/init.d/lpd restart

Sometimes, from my laptop client, I like to do:

$fdisk -l | lp  Results look like this:

machiner@lapbox:~$request id is officejet_7130-4 (1 file(s))
...and a page erupts from my printer.

Shared Printing: Client Side

Now, on your client, make sure that you have cupsys installed as well as the foomatic-filters-ppds package. Open your web browser and goto your CUPS interface: http://127.0.0.1:631. Click the Printers tab and see your LAN shared printer. You don't have to do anything on your client to set up lpr

Your Windows client can use this shared printer as well. Cake. Simply install the drivers to your printer on your Windows client and use the http protocol to connect to your shared LAN printer. Wife said -- "hey -- that's cool" when she plugged her laptop into our LAN and could print.

File Sharing with NFS

Server Side

This is the simplest thing ever. Really. Like I wrote earlier, I installed nfs-kernel-server. There are only a couple files that you have to change here, as well. The first, on the server, is the etc/exports file. Then you have to add entries in your /etc/fstab on your clients.

Here is what my /etc/exports file reads:

/vault 192.168.0.102(rw,sync) 192.168.0.101(rw,sync)
/music 192.168.0.102(ro,sync) 192.168.0.101(ro,sync)
/home/uname 192.168.0.102(rw,sync)

Note that there is no space between the client address and the file permissions/arguments. A space would be read as a new client. So, my laptop is the only client that I have allowed access to my old home directory share.

Hold on -- my wife (my one-true-love) has just brought me a ham/egg/cheese bagel sandwich. Yum! I'll be right back.....

OK -- after you've added your entries to your /etc/exports file, save and close the file and export them, like this:

# exportfs -a

Simple. For further security I am employing the /etc/hosts.allow and the /etc/hosts.deny files. There are terrific guides, tutorials and other information written about portmap web-wide. I won't write about that here because my ignorance would blaze before me as the sun, and who wants that? Suffice it to say we're mapping services to IP addresses in the /etc/hosts.allow file and you want this. So, open /etc/hosts.allow, and add your clients:

portmap: 192.168.0.XXX , 192.168.0.XXX
lockd: 192.168.0.XXX , 192.168.0.XXX
rquotad: 192.168.0.XXX , 192.168.0.XXX
mountd: 192.168.0.XXX , 192.168.0.XXX
statd: 192.168.0.XXX , 192.168.0.XXX

Save and close the file. Next up, in /etc/hosts.deny

# nano /etc/hosts.deny

At the bottom of the file you'll see

ALL: PARANOID
commented out. Beneath that entry add this line for portmap to take over:

portmap: ALL

Save and close the file. I suppose a:

# /etc/init.d/networking restart

wouldn't hurt right now.

If you don't use these files you will be allowing access to anyone that cares to try. If the files are empty then there is neither an address to allow or block, so NFS just allows it all. You must use these files and set your access clients. Your server side setup is finished, log-out of that bad-boy and stop X.

NFS - Client Side

Now you can either add an entry to your /etc/fstab file so that each time that you boot your machine you will see your server shared directories, or -- you can mount them manually to use as needed. I added a fstab entry. Pretty simple stuff, the entry is about the same as any other. check out mine:

server.domain:/mnt/tunage /mnt/tunage nfs rw,hard,intr,async,users,noatime 0 0
server.domain:/home/uname /mnt/directory nfs rw,hard,intr,async,users,noatime 0 0

After you add your own entries in fstab you can mount them immediately without logging out or rebooting. Here's the command

# mount -a

If you would like to mount your nfs shares manually, then as root in a terminal:

# mount hostname.domain:/shared/directory /mnt/directory

That's really all there is to it. Debian makes this kind of thing so simple. Management is a no-brainer and like I wrote, my server doesn't even have X installed. I do everything from my laptop using ssh to admin my server.

Troubleshooting NFS

I see all over the web that people have trouble writing to their NFS shares. Linux is all about permissions. The way that I get around write issues is to make sure that my server shares have permissions for certain groups on my LAN. For instance, I chown -R root:group /share on my server and do the same thing on the machines where I make the mounted directories. Like this chown -R root:group /mnt/share. I made groups specifically to share certain NFS shares differently on each particular LAN client. What I mean is, I don't want my kids to have write permissions to my personal backup share, so I chown it to root:mygroup and don't let my kids have any access. I also make sure that our shared music partition only has write access to me and read for everybody else. Then I give everybody write access to our LAN backup directory. So, if you cannot write to your shares first do a check on your server to see if you are exporting them with write access to your IP address, then make sure that you assign proper groups the proper access to particular shares. You may have to make the groups. Take advantage of the users group, too. Don't forget to add your users to the proper groups like this:

# usermod -G group1,group2,group3 username

Make sure that when you run this command that you include all the groups that this user will belong to, like audio, cdrom, etc. You can check to see what groups a user is in at the command line like this:

groups username

Make sure that the GID on your server is the same as the GID on your LAN clients. If the group special-share has a GID of 1004 on your server make sure it's the same on your other boxes. GIDs are assigned sequentially...1001, 1002, etc.

NOTICE that I didn't write about any real security and that my "server" is just an old desktop sharing a few things. It's all good; but get to know iptables or use a script. There is more to consider and I try not to write about security, actually -- because it's so damned difficult to drive home crucial points and the kung-fu of it all. In my linguistic ignorance I would fail miserably in any attempt to do justice to such content. You should always consider security a top priority. If you have questions or something goes wrong -- post something to the thread in our forum.

Here is a detailed heterogeneous environment tutorial for you that focuses on Samba for your Windows needs. Tell 'em debiantutorials.org sent you.

--machiner 5 Sept 2006 (finally published in Feb '07)

Last Updated on Wednesday, 25 February 2009 15:03