[X2Go-Dev] X2go, printing, Vserver, PostgreSQL

Mike Gabriel mike.gabriel at das-netzwerkteam.de
Sun Sep 23 20:53:38 CEST 2012 

Hi Ted,

I am not sure (and do not have the time to x-check) if the wiki page  
contains what I provide as info in this mail. If there is a mismatch  
between wiki and my info could you please update the wiki page? Thanks  
in advance.

On Sa 22 Sep 2012 17:17:04 CEST  wrote:

> SETUP
> 1) On Vserver Guest (x2go server):
> - Installed and set up PostgreSQL; added the "user" to postgres  
> (user1) to be used when connecting from the x2go client to the x2go  
> server and PostgreSQL database (x2godgadmin --adduser user1).
> - Installed x2go-server-printing

If you can login via X2Go and you use PostgreSQL as db backend then  
your PostgreSQL setup is correct.

> 2) On Vserver Host (Cups Server):
> - Installed cups-x2go
> - Used "http://localhost:631" and added the virtual x2go printer and  
> shared it (we couldn't see it on the client unless we shared it)
> - Used Visudo to add "x2goprint ALL=(ALL) NOPASSWD: /usr/bin/x2goprint
> - Set up SSH Keys using  
> http://www.x2go.org/doku.php/wiki:advanced:multi-node:x2goserver-printing

Issue 1)
The sudo line for x2goprint user has to be placed on every X2Go server  
(Vserver guest in your case).

Issue 2)
As root at cups-server (Vserver host) you have to be able to run this command:

   $ ssh -lx2goprint -i /root/.ssh/id_dsa-x2goprint <x2goserver>

The default key algorithm in Debian is RSA, we recommend DSA, but it  
does not matter. Just make sure that you have the private key on the  
cups-server under the above name and the corresponding public key in

   ~x2goprint/.ssh/autorized_keys

Make sure that ~x2goprint/.ssh has restrictive permissions (0700).  
Same for files in that folder.

> NOTE:  we had trouble getting the keys to copy over (ssh-copy-id  
> /usr/bin/ssh-copy-id: ERROR: No identities found).  We cannot ping  
> the Guest from the Host by server name (e.g.,  
> vserver1.mydomain.com), but can by ip address.  We ended up creating  
> /home/x2goprint/.ssh/authorized_keys and adding the contents of

Why /home/x2goprint??? The default installation procedure creates a  
home for x2goprint: /var/spool/x2goprint, so the public key has to be  
placed in

   /var/spool/x2goprint/.ssh/authorized_keys

> id_dsa-x2goprint.pub by hand.  We then issued ssh -i   
> /root/.ssh/id_dsa-x2goprint x2goprint at x192.168.1.112 and got:
> Is this "Permission denied (publickey)." the cause of our problems?

You have to make sure that DNS works properly. For a quick test, use  
/etc/hosts to place hostnames and IPs in. X2Go uses the hostnames to  
connect between different machines. Check the output of  
x2golistsessions (4th field).

> It appears to have added an RSA key where we think the keys created  
> where DSA...

See above. The key algorithm does not matter. The ssh login (see  
above) has to work.

> 4)  Observations
> On the Vserver host (cups server)
> a)  the print job files show up in /var/spool/cups
> b)  in http://localhost:631 the print jobs show as completed
> c)  there are no errors in /var/log/cups/error_log and the page_log  
> and access_log seem to restister the successful print job and access  
> to the cups

The next step to check: on the X2Go server (vserver guest) in

   /var/spool/x2goprint/

If files do not appear there, check the SSH key login and check that  
DNS works.

Then the cups-x2go backend on the cups server (Vserver host) executes  
the x2goprint command (on the vserver guest) via SSH. This only works if

  (a) the SSH login from root at cups-server to x2goprint at x2goserver works
  (b) the x2goprint user is allowed to execute the x2goprint with sudo

> 5)  Help
> Q:  is this some sort of DNS issue - we can't ping  
> "vserver1.mydomain.com" but assume this is a protocol/firewall issue  
> and not the problem in terms of printing.

DNS has to work!!!

> Q:  John Sullivan wondered if this is a permissions issue (i.e.,  
> does the cups server have write access to the client spool  
> directory):  if this is the issue, we're not sure how to test or fix  
> it.  We looked at the permissions on the "working" vs. "not working"  
> set ups on the spool directory and couldn't see any differences, but  
> may be missing the point.

cups -> cups spool dir -> cups-x2go

cups-x2go -> copy print job to x2goprint at x2goserver:~x2goprint
cups-x2go -> executes via SSH on x2goserver: ,,sudo x2goprint <options>''

,,sudo x2goprint <options>'' script (on x2goserver) copies the spool  
file into /tmp/.x2go-<uid>/spool/<session>/. Under this spool dir the  
sshfs client-side spool directory is mounted. So now, the print job  
files are on the X2Go Client.

> Q:  Vserver uses an fstab configu outside of the vserver itself  
> where /tmp is listed as "none	/tmp		tmpfs	size=128m,mode=1777	0 0"  
> (and the /etc/fstab inside the Vserver only has "# UNCONFIGURED  
> FSTAB FOR BASE SYSTEM").  Does the Vserver fstab set up get in the  
> way of the spool link writing to the /tmp/.x2go....folder on the  
> client?  If so, this sound like it might be along the lines of John  
> Sullivan's suggestion.

This should not be an issue.

> Q:  did the errors we got when generated the ssh keys matter  
> "(Permission denied (publickey)."?  The content of the Vserver/Cups  
> Server host known hosts has:
> - a prefix of "|1|Ha2q5mBmGyrl4CYri92TPRb6NNU=|3gihEfRTYU8UHwI4FrQcSq29Exg="
> - then the contents of the authorized_keys on the Vserver Guest/x2go  
> server /home/user1/.ssh/authorized_keys file up to but excluding the  
> "root at vserver1.mydomain.com"

Ahhh... this is another issue. You have to generate a known_hosts file  
for root at cups-server that allows the login to x2goprint at x2goserver  
(with SSH key /root/.ssh/id_dsa-x2goprint.

For this, just to be sure, do several manual ssh logins from  
cups-server to x2goserver:

   ssh -lx2goprint <ip>
   ssh -lx2goprint <hostname>
   ssh -lx2goprint <hostname>.<fqdn>

> Or did we create DSA keys but somehow when trying to add them got  
> crossed up with RSA keys (e.g., Warning: Permanently added  
> '192.168.1.112' (RSA) to the list of known hosts.").

Again, DSA or RSA doesn't really matter. Only thing important: you  
have to be able to log in from root at cups-server to  
x2goprint at x2goserver without password. Consult other SSH docs on the  
web, if that is nothing you set up regularly.


Greets,
Mike


-- 

DAS-NETZWERKTEAM
mike gabriel, rothenstein 5, 24214 neudorf-bornstein
fon: +49 (1520) 1976 148

GnuPG Key ID 0x25771B31
mail: mike.gabriel at das-netzwerkteam.de, http://das-netzwerkteam.de

freeBusy:
https://mail.das-netzwerkteam.de/freebusy/m.gabriel%40das-netzwerkteam.de.xfb
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 836 bytes
Desc: Digitale PGP-Unterschrift
URL: <http://lists.x2go.org/pipermail/x2go-dev/attachments/20120923/00b9c98e/attachment.pgp>

More information about the x2go-dev mailing list