After using tvheadend with Kodi for over a decade I was forced to reinstall on a new computer, and then could no longer log in with localhost:9981. Every attempt resulted in "403 Forbidden".

I am on Linux Mint 21.2, and downloaded the Ubuntu Jammy amd64 deb installer. Installation succeeded, but no login possible with the name and password of the admin user requested during installation.

Running nmap I got:

Starting Nmap 7.80 ( https://nmap.org ) at 2024-06-17 15:34 CEST
Host is up (0.000096s latency).
Not shown: 65527 closed ports
PORT      STATE SERVICE
22/tcp    open  ssh
80/tcp    open  http
111/tcp   open  rpcbind
8090/tcp  open  opsmessaging
9981/tcp  open  pumpkindb
9982/tcp  open  unknown
32989/tcp open  unknown
40851/tcp open  unknown`

I have no idea what pumpkindb is doing here, and where it came from, nor do I know how to remove it.
I see it also on a completely fresh install of Linux Mint LMDE6. Is the problem?

    • HD

    • Best Answerset by ullix

    I resolved this maddening bug by restarting tvheadend with some extra options.

    First checkout what's running now:

    donotob@RPITV:/etc/init $ ps -ef|grep tv
  hts       1240     1  3 05:05 ?        00:00:01 /usr/bin/tvheadend -f -p /run/tvheadend.pid -u hts -g video
  donotob   1290   988 16 05:06 pts/3    00:00:00 grep --color=auto tv

    Then stop and restart with the extra options:

    donotob@RPITV:/etc/init $ sudo systemctl stop tvheadend
  donotob@RPITV:/etc/init $ sudo /usr/bin/tvheadend -f -C --noacl -p /run/tvheadend.pid -u hts -g video

    Checkout what's running now

    donotob@RPITV:/etc/init $ ps -ef|grep tv
hts       1309     1  3 05:09 ?        00:00:01 /usr/bin/tvheadend -f -C --noacl -p /run/tvheadend.pid -u hts -g video
donotob   1360   988  0 05:10 pts/3    00:00:00 grep --color=auto tv

    This forces tvheadend to disable all access control checks and forces the website to start without
    having to provide a username/password... checkout with:

    donotob@RPITV:/etc/init $ tvheadend --help

           -C, --firstrun     If no user account exists then create one with
                              no username and no password. Use with care as
                              it will allow world-wide administrative access
                              to your Tvheadend installation until you create or edit
                              the access control from within the Tvheadend web interface.
            --noacl           Disable all access control checks

    After setting up the administrative account via the website, just restart tvheadend:
    donotob@RPITV:/etc/init $ sudo systemctl restart tvheadend

    Hope this helps.


I resolved this maddening bug by restarting tvheadend with some extra options.

First checkout what's running now:

donotob@RPITV:/etc/init $ ps -ef|grep tv
  hts       1240     1  3 05:05 ?        00:00:01 /usr/bin/tvheadend -f -p /run/tvheadend.pid -u hts -g video
  donotob   1290   988 16 05:06 pts/3    00:00:00 grep --color=auto tv

Then stop and restart with the extra options:

donotob@RPITV:/etc/init $ sudo systemctl stop tvheadend
  donotob@RPITV:/etc/init $ sudo /usr/bin/tvheadend -f -C --noacl -p /run/tvheadend.pid -u hts -g video

Checkout what's running now

donotob@RPITV:/etc/init $ ps -ef|grep tv
hts       1309     1  3 05:09 ?        00:00:01 /usr/bin/tvheadend -f -C --noacl -p /run/tvheadend.pid -u hts -g video
donotob   1360   988  0 05:10 pts/3    00:00:00 grep --color=auto tv

This forces tvheadend to disable all access control checks and forces the website to start without
having to provide a username/password... checkout with:

donotob@RPITV:/etc/init $ tvheadend --help

       -C, --firstrun     If no user account exists then create one with
                              no username and no password. Use with care as
                              it will allow world-wide administrative access
                              to your Tvheadend installation until you create or edit
                              the access control from within the Tvheadend web interface.
            --noacl           Disable all access control checks

After setting up the administrative account via the website, just restart tvheadend:
donotob@RPITV:/etc/init $ sudo systemctl restart tvheadend

Hope this helps.


That won't help when trying to authenticate against a pumpkindb instance with Tvheadend credentials.

It's possible to let tvheadend website use another port. If removing pumpkindb can't be an option maybe this is? You just stop tvheadend and restart with extra option like this:
sudo /usr/bin/tvheadend -f -p /run/tvheadend.pid -u hts -g video --http_port 9985

@HD
Because you already redirected to "/extjs.html", I suspect that you limit access to user.
Clear cookies for site
NMAP is not good as build-in command
sudo netstat -lpnt |grep 9981
Solution is to found where is data files and delete filters you made in access for user.

I am getting more and more confused.

What is this pumpkin thingy, and what do I need it for? My tvheadend worked the last 10 years just fine without needing it, so what is it doing now?

And if I don't need it, how can I get rid of it? I don't find it anywhere on my system.

I have now (multiple times) purged all tvheadend. So the most recent one is 4.3-2337. Is there anywhere an installation guide covering this version, made for the simple-minded user?

If I understand correctly, nmap reports that port 9981 is open on your device. Nmap then looks up the service name for port 9981 in its internal database (nmap/nmapblob/master/nmap-services) and reports that as pumpkindb. In other words TVH has ports 9981 and 9982 open as expected and your authorisation problem has some other cause.

    Are you saying that pumpkindb is part of tvheadend, and must run in order for tvh to run?

    No, nmap has its own database of which service uses which port, so when it sees 9981 in use it falsely reports that pumpkindb has it. In fact what it is seeing is TVH running.

    OK, so at least this question is cleared, thank you!
    Will the suggestion by @HD solve this for me or is there yet another problem possible?

    P.S. I am still looking for an installation guide. Anyone?

    Untested by me but I believe it should work.

    davep If I understand correctly, nmap reports that port 9981 is open on your device. Nmap then looks up the service name for port 9981 in its internal database (nmap/nmapblob/master/nmap-services)) and reports that as pumpkindb. In other words TVH has ports 9981 and 9982 open as expected and your authorisation problem has some other cause.

    Hmm, pumpkindb appears to be a fairly new project. Somebody needs to raise an issue with nmap to change their allocation of the port to pre-existing tvh, and raise an issue with pumpkindb to suggest they pick another 'random' port. : (

        Striving to be a bit more comprehensive and certainly not to confuse you even more, some extra remarks.
        If you decide to use port 9985 you must allow traffic through this port first with:
        sudo ufw allow 9985/tcp

        The one and only aim of using a non-default port for tvheadend website is to avoid pumpkindb traffic on the same port in your setup., nothing else. If this works for you and want to make it permanent, edit /etc/default/tvheadend with your favorite editor:
        change systemd options from:
        OPTIONS="-u hts -g video"
        to:
        OPTIONS="-u hts -g video --http_port 9985
        And restart tvheadend:
        sudo systemctl restart tvheadend
        From now on tvheadend will auto use port 9985 for its website at server startup.

        So tvheadend has simply missed the registration of their port numbers? Very unfortunate.
        In the meantime I have filed a bug report at nmap: nmap/nmap2869
        I think I know what they will have to say...

        I have now purged everything tvh* on my computer and installed tvheadend_4.3-2337~ge855f62e6~jammy_amd64.deb
        Then I checked nmap:

        $ nmap server -p1-65000
        Starting Nmap 7.80 ( https://nmap.org ) at 2024-06-22 09:26 CEST
        Host is up (0.000094s latency).
        Not shown: 64991 closed ports
        PORT STATE SERVICE
        22/tcp open ssh
        80/tcp open http
        111/tcp open rpcbind
        8080/tcp open http-proxy
        8090/tcp open opsmessaging
        9981/tcp open pumpkindb
        9982/tcp open unknown
        32989/tcp open unknown
        40851/tcp open unknown
        9981 is pumpkindb, and 9982 is unknown.

        Now using netstat as suggested by @Saen Acro
        $ sudo netstat -lpnt |grep 998
        tcp 0 0 0.0.0.0:9982 0.0.0.0:* LISTEN 378280/tvheadend
        tcp 0 0 0.0.0.0:9981 0.0.0.0:* LISTEN 378280/tvheadend

        Yes, netstat knows!

        Now calling tvheadend with http://localhost:9981/extjs.html: The result is exactly the same 403-Forbidden as before :-(((

        When you installed TVH, were you asked for a username and password to create?

        Yes, on every recent installation. And I always used name and pw so simple that I was sure to be typing it correctly.

        I now followed the instructions of @HD, very carefully, letter by letter. And then connected to http://localhost:9981/extjs.html

        What a beautiful picture of tvheadend on my monitor! Thank you everybody!