Univention Bugzilla – Bug 42688
Non-Edu school slave: serves wrong DNS server
Last modified: 2020-08-06 11:00:59 CEST
Created attachment 8112 [details] Windows: ipconfig /all UCS@school Multi-Server UCS@school 4.1 R2 v6 UCS 4.1-3 Errata 292 Clients in the administrative network receive the educational DNS server via DHCP. Since the educational school server must not be reachable from the administrative network, DNS does not work for all the administrative clients. How to reproduce: 1. Install UCS Master with Samba/AD → Add UCS@school Multi-Server-Env and DHCP Server via App Center 2. Create school with: > /usr/share/ucs-school-import/scripts/create_ou --displayName="Grundschule Nord" 011 sedu011-01 sadm011-01 3. Import networks: > cat networks.csv: > 011 10.200.23.0/24 10.200.23.200-10.200.23.249 10.200.23.1 10.200.23.250 10.200.23.250 > 011 10.200.34.0/24 10.200.34.200-10.200.34.249 10.200.34.1 10.200.34.250 10.200.34.250 > > /usr/share/ucs-school-import/scripts/import_networks networks.csv 10.200.23.0/24 is the educational network 10.200.34.0/24 is the administrative network 4. Install UCS Slave "sedu011-01" and join → install UCS@school and configure with Samba/AD and as educational server → install DHCP Server via App Center 5. Install UCS Slave "sadm011-01" and join → install UCS@school and configure with Samba/AD and as administrative server → install DHCP Server via App Center 6. Work around Bug 42687 7. Import clients: > cat computers.csv > windows 011win99-01 52:54:00:78:6c:67 011 10.200.23.0/24 INVENTNR01 edukativ > windows 011win00-02 52:54:00:85:44:f7 011 10.200.34.0/24 INVENTNR02 verwaltung > > /usr/share/ucs-school-import/scripts/import~_computer computers.csv 8. Install the clients and let them use DHCP for the network configuration
There are 5 DHCP DNS policies in my setup: 1. default-settings univentionDhcpDomainNameServers: 10.200.30.123 (UCS Master) univentionDhcpDomainName: schulen.example.org Linked to: cn=10.200.30.0,cn=schulen.example.org,cn=dhcp,dc=schulen,dc=example,dc=org (default network) 2. dhcp-dns-clear emptyAttributes: univentionDhcpDomainNameServers Linked to: ou=011,dc=schulen,dc=example,dc=org → cancels inheritance 3. dhcp-dns-011 univentionDhcpDomainNameServers: 10.200.23.250 (UCS@school Edu slave) Linked to: cn=dhcp,ou=011,dc=schulen,dc=example,dc=org (DHCP container of school) 4. 011-10.200.23.0 univentionDhcpDomainNameServers: 10.200.23.250 (UCS@school Edu slave) univentionDhcpDomainName: schulen.example.org Linked to: cn=10.200.23.0,cn=011,cn=dhcp,ou=011,dc=schulen,dc=example,dc=org (UCS@school Edu DHCP Subnet) 5. 011-10.200.34.0 univentionDhcpDomainNameServers: 10.200.34.250 (UCS@school Non-Edu slave) univentionDhcpDomainName: schulen.example.org Linked to: cn=10.200.34.0,cn=011,cn=dhcp,ou=011,dc=schulen,dc=example,dc=org (UCS@school Non-Edu DHCP Subnet) Does 3. overwrite 4. and/or 5.? This seems likely, because the "DHCP Routing" and "DHCP Netbios" policies do work. There we have equivalent policies to 4. and 5., but no equivalent to 3. DHCP Routing: - default-settings - 011-10.200.23.0 - 011-10.200.34.0 DHCP Netbios: - 011-10.200.23.0 - 011-10.200.34.0 Also the Windows client does list an empty value for "Primary Dns Suffix". This is probably (did not check yet) "univentionDhcpDomainName" which is set in 4. and 5., but empty in 3.
Workaround: Delete the policiy "dhcp-dns-011" I guess this will work until the next run of 62ucs-school-slave.inst
Cause of this problem is that the DHCP server checks the DHCP-host objects first for DNS server settings, and if no DNS server setting was found, the subnet is checked. In your setup the hosts "011win99-01" and "011win00-02" inherit the DNS server setting from the container cn=dhcp,ou=011,dc=schulen,dc=example,dc=org. So the dhcpd does not evaluate the subnet DNS server settings, because the DHCP host objects already got one via cn=dhcp (and the assigned policy). In http://docs.software-univention.de/ucsschool-handbuch-4.1R2.html#school:windows:samba there is already a notice on how to deactivate the automatic assignment of the DHCP-DNS policy at the cn=dhcp,ou=... container: ucr set ucsschool/import/generate/policy/dhcp/dns/set_per_ou=false should be set on all UCS@school systems if required (not as stated in the docs only on school servers). I think, the hint is incomplete and should be extended: - set the UCR variable on all UCS@school systems (there is a hook script on DC master in multi server envs, that also assigns the policy) - add a hint for environments with administrative/non-edu subnet. In these environments, the UCR variable MUST BE SET! Otherwise all non-edu slaves get into trouble. - please check if the hint has to be moved and/or referenced at other places within the manual: - 2.3. Verwaltungsnetz und Edukativnetz ? - 3.2.3. Installation eines Schulservers ? Currently I do not see an automatic and reliable mechanism to configure this automatically → moved to component "documenation"
(In reply to Michael Grandjean from comment #1) > There are 5 DHCP DNS policies in my setup: > > 1. default-settings > univentionDhcpDomainNameServers: 10.200.30.123 (UCS Master) > univentionDhcpDomainName: schulen.example.org > Linked to: > cn=10.200.30.0,cn=schulen.example.org,cn=dhcp,dc=schulen,dc=example,dc=org > (default network) → default network for UCS Master (created by UCS) > 2. dhcp-dns-clear > emptyAttributes: univentionDhcpDomainNameServers > Linked to: ou=011,dc=schulen,dc=example,dc=org > → cancels inheritance → automatically created during OU creation → /usr/share/ucs-school-import/scripts/ucs-school-import resp. ucs-school-lib/python/models/school.py > 3. dhcp-dns-011 > univentionDhcpDomainNameServers: 10.200.23.250 (UCS@school Edu slave) > Linked to: cn=dhcp,ou=011,dc=schulen,dc=example,dc=org (DHCP container of > school) → The policy is automatically created and assigned via OU-post-hook on DC master during OU creation (/usr/share/ucs-school-import/hooks/ou_create_post.d/45dhcpdns_create) or via join script 62ucs-school-slave.inst resp. 62ucs-school-singlemaster.inst. The OU post create hook only creates the policy and assigns it to cn=dhcp,ou=${OU},${ldap_base}. The joinscripts also try to create and assign the policy but do also set policy's "domain_name_server". → The automatic assignment can be disabled on DC master, DC backup and DC slaves via UCR: ucr set ucsschool/import/generate/policy/dhcp/dns/set_per_ou=false > 4. 011-10.200.23.0 > univentionDhcpDomainNameServers: 10.200.23.250 (UCS@school Edu slave) > univentionDhcpDomainName: schulen.example.org > Linked to: cn=10.200.23.0,cn=011,cn=dhcp,ou=011,dc=schulen,dc=example,dc=org > (UCS@school Edu DHCP Subnet) → this policy is created and assigned via /usr/share/ucs-school-import/scripts/import_networks → to activate this policy, policy 3) has to be detached from cn=dhcp,ou=${OU},dc=schulen,dc=example,dc=org > 5. 011-10.200.34.0 > univentionDhcpDomainNameServers: 10.200.34.250 (UCS@school Non-Edu slave) > univentionDhcpDomainName: schulen.example.org > Linked to: cn=10.200.34.0,cn=011,cn=dhcp,ou=011,dc=schulen,dc=example,dc=org > (UCS@school Non-Edu DHCP Subnet) → this policy is created and assigned via /usr/share/ucs-school-import/scripts/import_networks → to activate this policy, policy 3) has to be detached from cn=dhcp,ou=${OU},dc=schulen,dc=example,dc=org > Also the Windows client does list an empty value for "Primary Dns Suffix". > This is probably (did not check yet) "univentionDhcpDomainName" which is set > in 4. and 5., but empty in 3. Correct. See 3) above for the old behaviour. I fixed this in commit 8d3b9813 and b2347ec0. New behaviour regarding "primary DNS suffix": → Single server environment: The OU-post-create-hook and the join script 62ucs-school-singlemaster.inst have been adapted, so the policy will set the UCS master as DNS server and use the DNS domain of the DC master (/usr/share/ucs-school-import/hooks/ou_create_post.d/45dhcpdns_create). → Multi server environments: The join script 62ucs-school-slave.inst has been adapted, so the policy will set the school server as DNS server and use the DNS domain of the DC slave. Implemented solution/suggested proceeding for setting up UCS@school environments: ===================================================================== a) UCS@school environments without administrative slaves work out of the box. The "Primary DNS Suffix" is now also set via DHCP-DNS-policy "dhcp-dns-${OU}" that is assigned by default with cn=dhcp,ou=${OU},${ldap_base}. b) If non-edu/administrative slaves shall be present in the UCS@school environment, the UCR variable "ucsschool/import/generate/policy/dhcp/dns/set_per_ou=false" has to be set on all UCS@school systems (preferably via UCR policy) before any (new) school OU is created (otherwise already assigned DHCP-DNS-policies have to be detached manually). Networks should be imported via the script /usr/share/ucs-school-import/scripts/import_networks. import_networks creates correct DHCP-DNS, DHCP-Routing and DHCP-WINS policies and attaches them to the imported IP subnet. If no policy is assigned to cn=dhcp,ou=${OU},${ldap_base}, the policies of the DHCP-subnets are used. doc/manual: e7ba080f87f5 | Bug #42688: add new proceeding to admin manual ucs-school-metapackage (10.0.3-1): 2114244d88aa | Bug #42688: Merge branch 'sschwardt/42688/42/dhcp-dns-policies' into 4.2 75114ad6f1ae | Bug #42688: add changelog entries 8d3b9813630b | Bug #42688: set domain_name in DHCP-DNS policy during join ucs-school-import (15.0.1-1): 2114244d88aa | Bug #42688: Merge branch 'sschwardt/42688/42/dhcp-dns-policies' into 4.2 75114ad6f1ae | Bug #42688: add changelog entries b2347ec030d2 | Bug #42688: set domain_name after OU creation
OK: add domain_name in join scripts and ou-post-create hook OK: documentation update OK: advisory
UCS@school 4.2 v4 has been released. http://docs.software-univention.de/changelog-ucsschool-4.2v4-de.html If this error occurs again, please clone this bug.