The customer is confused that the at the subnet adjusted dhcp policy is not shown at the computer object. There is also a difference between univention-policy-result and udm shcp host list --filter --policy=1 root@master:~# univention-policy-result -D $(ucr get ldap/hostdn) -y /etc/machine.secret cn=S55-Test0003,cn=s55,cn=dhcp,ou=S55,dc=schein,dc=me DN: cn=S55-Test0003,cn=s55,cn=dhcp,ou=S55,dc=schein,dc=me POLICY cn=S55-Test0003,cn=s55,cn=dhcp,ou=S55,dc=schein,dc=me Policy: cn=UCS 4.0,cn=desktop,cn=policies,dc=schein,dc=me Attribute: univentionDesktopProfile Value: /usr/share/univention-kde-profiles/kde4-menu Value: /usr/share/univention-kde-profiles/ucs-4.0 Policy: cn=default-udm-self,cn=UMC,cn=policies,dc=jsp,dc=intranet Attribute: umcPolicyGrantedOperationSet Value: cn=udm-self,cn=operations,cn=UMC,cn=univention,dc=schein,dc=me Policy: cn=map-country-to-st,cn=config-registry,cn=policies,dc=schein,dc=me Attribute: univentionRegistry;entry-hex-6469726563746f72792f6d616e616765722f7765622f6d6f64756c65732f75736572732f757365722f6d61702d636f756e7472792d746f2d7374 Value: false Policy: cn=ucsschool-ucr-settings,cn=config-registry,cn=policies,dc=schein,dc=me Attribute: univentionRegistry;entry-hex-6469726563746f72792f6d616e616765722f73616d6261332f6c6567616379 Value: yes Policy: cn=default-users,cn=admin-settings,cn=users,cn=policies,dc=schein,dc=me Attribute: univentionAdminMayOverrideSettings Value: 0 Policy: cn=default-users,cn=admin-settings,cn=users,cn=policies,dc=schein,dc=me Attribute: univentionAdminListWebModules Value: modself Policy: cn=default-users,cn=admin-settings,cn=users,cn=policies,dc=schein,dc=me Attribute: univentionAdminListWizards Value: None Policy: cn=default-settings,cn=pwhistory,cn=users,cn=policies,dc=schein,dc=me Attribute: univentionPWQualityCheck Value: TRUE Policy: cn=default-settings,cn=pwhistory,cn=users,cn=policies,dc=schein,dc=me Attribute: univentionPWLength Value: 8 Policy: cn=default-settings,cn=pwhistory,cn=users,cn=policies,dc=schein,dc=me Attribute: univentionPWHistoryLen Value: 3 Policy: cn=dhcp-dns-clear,cn=policies,ou=S55,dc=schein,dc=me Attribute: univentionDhcpDomainNameServers ``` vs ``` root@master:~# udm dhcp/host list --filter cn=s55-test0003 --policies=1 cn=s55-test0003 DN: cn=S55-Test0003,cn=s55,cn=dhcp,ou=S55,dc=schein,dc=me fixedaddress: 10.55.224.3 host: S55-Test0003 hwaddress: ethernet 00:57:6e:9d:03:22 Policy-based Settings: Policy: cn=UCS 4.0,cn=desktop,cn=policies,dc=schein,dc=me Attribute: univentionDesktopProfile Value: /usr/share/univention-kde-profiles/kde4-menu Value: /usr/share/univention-kde-profiles/ucs-4.0 Policy: cn=default-udm-self,cn=UMC,cn=policies,dc=schein,dc=me Attribute: umcPolicyGrantedOperationSet Value: cn=udm-self,cn=operations,cn=UMC,cn=univention,dc=schein,dc=me Policy: cn=map-country-to-st,cn=config-registry,cn=policies,dc=schein,dc=me Attribute: univentionRegistry;entry-hex-6469726563746f72792f6d616e616765722f7765622f6d6f64756c65732f75736572732f757365722f6d61702d636f756e7472792d746f2d7374 Value: false Policy: cn=ucsschool-ucr-settings,cn=config-registry,cn=policies,dc=schein,dc=me Attribute: univentionRegistry;entry-hex-6469726563746f72792f6d616e616765722f73616d6261332f6c6567616379 Value: yes Policy: cn=default-users,cn=admin-settings,cn=users,cn=policies,dc=schein,dc=me Attribute: univentionAdminMayOverrideSettings Value: 0 Policy: cn=default-users,cn=admin-settings,cn=users,cn=policies,dc=schein,dc=me Attribute: univentionAdminListWebModules Value: modself Policy: cn=default-users,cn=admin-settings,cn=users,cn=policies,dc=schein,dc=me Attribute: univentionAdminListWizards Value: None Policy: cn=default-settings,cn=pwhistory,cn=users,cn=policies,dc=schein,dc=me Attribute: univentionPWQualityCheck Value: TRUE Policy: cn=default-settings,cn=pwhistory,cn=users,cn=policies,dc=schein,dc=me Attribute: univentionPWLength Value: 8 Policy: cn=default-settings,cn=pwhistory,cn=users,cn=policies,dc=schein,dc=me Attribute: univentionPWHistoryLen Value: 3 Policy: cn=dhcp-dns-clear,cn=policies,ou=S55,dc=schein,dc=me Attribute: univentionDhcpDomainNameServers Subnet-based Settings: Policy: cn=UCS 4.0,cn=desktop,cn=policies,dc=schein,dc=me Attribute: univentionDesktopProfile Value: /usr/share/univention-kde-profiles/kde4-menu Value: /usr/share/univention-kde-profiles/ucs-4.0 Policy: cn=default-udm-self,cn=UMC,cn=policies,dc=schein,dc=me Attribute: umcPolicyGrantedOperationSet Value: cn=udm-self,cn=operations,cn=UMC,cn=univention,dc=schein,dc=me Policy: cn=map-country-to-st,cn=config-registry,cn=policies,dc=schein,dc=me Attribute: univentionRegistry;entry-hex-6469726563746f72792f6d616e616765722f7765622f6d6f64756c65732f75736572732f757365722f6d61702d636f756e7472792d746f2d7374 Value: false Policy: cn=ucsschool-ucr-settings,cn=config-registry,cn=policies,dc=schein,dc=me Attribute: univentionRegistry;entry-hex-6469726563746f72792f6d616e616765722f73616d6261332f6c6567616379 Value: yes Policy: cn=default-users,cn=admin-settings,cn=users,cn=policies,dc=schein,dc=me Attribute: univentionAdminMayOverrideSettings Value: 0 Policy: cn=default-users,cn=admin-settings,cn=users,cn=policies,dc=schein,dc=me Attribute: univentionAdminListWebModules Value: modself Policy: cn=default-users,cn=admin-settings,cn=users,cn=policies,dc=schein,dc=me Attribute: univentionAdminListWizards Value: None Policy: cn=default-settings,cn=pwhistory,cn=users,cn=policies,dc=schein,dc=me Attribute: univentionPWQualityCheck Value: TRUE Policy: cn=default-settings,cn=pwhistory,cn=users,cn=policies,dc=schein,dc=me Attribute: univentionPWLength Value: 8 Policy: cn=default-settings,cn=pwhistory,cn=users,cn=policies,dc=schein,dc=me Attribute: univentionPWHistoryLen Value: 3 Policy: cn=55-1-default-gateway,cn=policies,ou=S55,dc=schein,dc=me Attribute: univentionDhcpRouters Value: 10.55.239.254 Policy: cn=dhcp-dns-s55-1,cn=policies,ou=S55,dc=schein,dc=me Attribute: univentionDhcpDomainNameServers Value: 10.55.1.1 Policy: cn=dhcp-dns-s55-1,cn=policies,ou=S55,dc=schein,dc=me Attribute: univentionDhcpDomainName Value: schein.me Merged Settings: Policy: cn=UCS 4.0,cn=desktop,cn=policies,dc=schein,dc=me Attribute: univentionDesktopProfile Value: /usr/share/univention-kde-profiles/kde4-menu Value: /usr/share/univention-kde-profiles/ucs-4.0 Policy: cn=default-udm-self,cn=UMC,cn=policies,dc=schein,dc=me Attribute: umcPolicyGrantedOperationSet Value: cn=udm-self,cn=operations,cn=UMC,cn=univention,dc=schein,dc=me Policy: cn=map-country-to-st,cn=config-registry,cn=policies,dc=schein,dc=me Attribute: univentionRegistry;entry-hex-6469726563746f72792f6d616e616765722f7765622f6d6f64756c65732f75736572732f757365722f6d61702d636f756e7472792d746f2d7374 Value: false Policy: cn=ucsschool-ucr-settings,cn=config-registry,cn=policies,dc=schein,dc=me Attribute: univentionRegistry;entry-hex-6469726563746f72792f6d616e616765722f73616d6261332f6c6567616379 Value: yes Policy: cn=default-users,cn=admin-settings,cn=users,cn=policies,dc=schein,dc=me Attribute: univentionAdminMayOverrideSettings Value: 0 Policy: cn=default-users,cn=admin-settings,cn=users,cn=policies,dc=schein,dc=me Attribute: univentionAdminListWebModules Value: modself Policy: cn=default-users,cn=admin-settings,cn=users,cn=policies,dc=schein,dc=me Attribute: univentionAdminListWizards Value: None Policy: cn=default-settings,cn=pwhistory,cn=users,cn=policies,dc=schein,dc=me Attribute: univentionPWQualityCheck Value: TRUE Policy: cn=default-settings,cn=pwhistory,cn=users,cn=policies,dc=schein,dc=me Attribute: univentionPWLength Value: 8 Policy: cn=default-settings,cn=pwhistory,cn=users,cn=policies,dc=schein,dc=me Attribute: univentionPWHistoryLen Value: 3 Policy: cn=dhcp-dns-clear,cn=policies,ou=S55,dc=schein,dc=me Attribute: univentionDhcpDomainNameServers Policy: cn=55-1-default-gateway,cn=policies,ou=S55,dc=schein,dc=me Attribute: univentionDhcpRouters Value: 10.55.239.254 Policy: cn=dhcp-dns-s55-1,cn=policies,ou=S55,dc=schein,dc=me Attribute: univentionDhcpDomainName Value: schein.me At the end the computer gets all the values set by the policy, but that is only recognizable via udm on the commandline. The customer does not like it.
Regarding this issue, what also is unclear, why do we have the cn=dhcp-dns-clear,cn=policies,ou=S55,dc=schein,dc=me policy, if I have to remove it, if I want the policies at the subnet to get applied? I also have to remove the policy at the dhcp container, this is clear for me but the clear policy at the ou, I do not get it.
(In reply to Christina Scheinig from comment #1) > Regarding this issue, what also is unclear, why do we have the > cn=dhcp-dns-clear,cn=policies,ou=S55,dc=schein,dc=me policy, if I have to > remove it, if I want the policies at the subnet to get applied? I also have > to remove the policy at the dhcp container, this is clear for me but the > clear policy at the ou, I do not get it. So this question is another topic, but this bug shows the situation, that policy-result and udm output differ in dhcp for policies set in subnets.
How to reproduce: - udm dhcp/service create --set service=dhcpService1 --position cn=dhcp,"$(ucr get ldap/base)" - udm policies/dhcp_boot create --position cn=boot,cn=dhcp,cn=policies,"$(ucr get ldap/base)" --set name=boot-p1 --set boot_server=10.200.41.250 --set boot_filename=boot.ipxe - udm dhcp/subnet create --position cn=dhcpService1,cn=dhcp,"$(ucr get ldap/base)" --set subnet=10.200.41.0 --set subnetmask=24 --policy-reference cn=boot-p1,cn=boot,cn=dhcp,cn=policies,"$(ucr get ldap/base)" - udm dhcp/host create --position cn=dhcpService1,cn=dhcp,"$(ucr get ldap/base)" --set host=test1 --set hwaddress='ethernet 112233445566' --set fixedaddress=10.200.41.26 Now compare: - udm dhcp/host list --filter cn=test1 --policies=1 - univention-policy-result -D $(ucr get ldap/hostdn) -y /etc/machine.secret cn=test1,cn=dhcpService1,cn=dhcp,"$(ucr get ldap/base)" The "Subnet-based Settings" and "Merged Settings" sections are only implemented for the cli https://git.knut.univention.de/univention/ucs/-/blob/5.0-8/management/univention-directory-manager-modules/modules/univention/admincli/admin.py?ref_type=heads#L1015
Important to note, this is isc-dhcp implementation specific. Any dhcp/host policy settings always has a higher priority than a dhcp/subnet policy setting! To come back around to the dhcp-dns-clear policy, the policy affects both the subnet and host. You can overwrite the value on the subnet with a new policy, but the dhcp server will ignore the changed subnet settings since the host settings has a higher priority.
Another customer affected 2025040421000079 UCS: 5.0-10 errata1230 Installed: adconnector=12.0 letsencrypt=2.0.0-2 office365=5.11 samba4=4.16 self-service=5.0 self-service-backend=5.0 ucsschool=5.0 v6 4.4/ucsschool-kelvin-rest-api=1.10.3 dpkg -l | grep dhcp ii isc-dhcp-client 4.4.1-2+deb10u3A~5.0.4.202303131602 amd64 DHCP client for automatically obtaining an IP address ii isc-dhcp-common 4.4.1-2+deb10u3A~5.0.4.202303131602 amd64 common manpages relevant to all of the isc-dhcp packages rc isc-dhcp-server 4.4.1-2+deb10u2A~5.0.2.202210170847 amd64 ISC DHCP server for automatic IP address assignment rc isc-dhcp-server-ldap 4.4.1-2+deb10u2A~5.0.2.202210170847 amd64 DHCP server that uses LDAP as its backend rc univention-dhcp 14.0.5-1A~5.0.0.202207141218 all UCS - DHCP server Described customer problem: At the school we have the behaviour that some of the clients correctly receive the stored server 10.64.32.2 from the school and the boot file pxelinux.0 via PXE. However, the majority of the computers receive the UEFI boot file and the server that was declared at the top DHCP object. udm dhcp/host list --filter cn=pc3-02 --policies=1 > dhcp-host-list_pc3-02 DN: cn=pc3-02,cn=edu.univention.de,cn=dhcp,dc=edu,dc=univention,dc=de Policy: cn=edu-defaults,cn=dhcp,cn=policies,dc=edu,dc=univention,dc=de Attribute: univentionDhcpAuthoritative Value: yes Policy: cn=default-leasetime,cn=leasetime,cn=dhcp,cn=policies,dc=edu,dc=univention,dc=de Attribute: univentionDhcpLeaseTimeMin Value: 86400 Policy: cn=default-leasetime,cn=leasetime,cn=dhcp,cn=policies,dc=edu,dc=univention,dc=de Attribute: univentionDhcpLeaseTimeMax Value: 2592000 Policy: cn=default-leasetime,cn=leasetime,cn=dhcp,cn=policies,dc=edu,dc=univention,dc=de Attribute: univentionDhcpLeaseTimeDefault Value: 604800 Policy: cn=K-MECM.univention.de,cn=boot,cn=dhcp,cn=policies,dc=edu,dc=univention,dc=de Attribute: univentionDhcpBootFilename Value: SMSBoot/CAS0001C/x64/wdsmgfw.efi Policy: cn=K-MECM.univention.de,cn=boot,cn=dhcp,cn=policies,dc=edu,dc=univention,dc=de Attribute: univentionDhcpBootServer Value: 10.1.10.31 Subnet-based Settings: Policy: cn=edu-defaults,cn=dhcp,cn=policies,dc=edu,dc=univention,dc=de Attribute: univentionDhcpAuthoritative Value: yes Policy: cn=default-leasetime,cn=leasetime,cn=dhcp,cn=policies,dc=edu,dc=univention,dc=de Attribute: univentionDhcpLeaseTimeMin Value: 86400 Policy: cn=default-leasetime,cn=leasetime,cn=dhcp,cn=policies,dc=edu,dc=univention,dc=de Attribute: univentionDhcpLeaseTimeMax Value: 2592000 Policy: cn=default-leasetime,cn=leasetime,cn=dhcp,cn=policies,dc=edu,dc=univention,dc=de Attribute: univentionDhcpLeaseTimeDefault Value: 604800 Policy: cn=uni-Schul-NET,cn=routing,cn=dhcp,cn=policies,dc=edu,dc=univention,dc=de Attribute: univentionDhcpRouters Value: 10.64.32.1 Policy: cn=uni-DNS,cn=dns,cn=dhcp,cn=policies,dc=edu,dc=univention,dc=de Attribute: univentionDhcpDomainNameServers Value: 10.1.1.64 Policy: cn=uni-DNS,cn=dns,cn=dhcp,cn=policies,dc=edu,dc=univention,dc=de Attribute: univentionDhcpDomainName Value: edu.univention.de Policy: cn=uni-pxe-boot,cn=boot,cn=dhcp,cn=policies,dc=edu,dc=univention,dc=de Attribute: univentionDhcpBootFilename Value: pxelinux.0 Policy: cn=uni-pxe-boot,cn=boot,cn=dhcp,cn=policies,dc=edu,dc=univention,dc=de Attribute: univentionDhcpBootServer Value: 10.64.32.2
Knowledge base article: https://help.univention.com/t/q-a-applying-dhcp-policies-to-subnets-and-hosts/23333