Univention Bugzilla – Bug 20222
DHCP policy statements applied to wrong DHCP types
Last modified: 2019-04-17 14:07:11 CEST
DHCP-Policies kann man an verschiedenen DHCP-Objekte wie objectClass: dhcpServer objectClass: dhcpSharedNetwork objectClass: univentionDhcpHost objectClass: univentionDhcpService objectClass: univentionDhcpSharedSubnet objectClass: univentionDhcpSubnet binden. Dies führt dazu, daß die von den Policies erzeugten Statement an Stellen in der live erzeugten Konfigurationsdatei erzeugt werden, wo diese nicht erlaubt sind. Insbesondere die Erlauben/Verbieten-Policies dürfen nicht an univentionDhcpService gebunden werden. (Es gibt noch mehr Fälle, aber die fallen mir gerade nicht mehr ein) Beim erzeugen den live-Konfigurationsdatei sollten nach Möglichkeit die Statements nur dann erzeugt werden, wenn diese auch an der Stelle gültig sind, da sonst das verknüpfen von Policies an univentionDhcpService sehr schnell zu fehlerhaften Konfigurationen führen und der DHCPd nicht mehr startet. Leere Werte führen dabei teilweise auch dazu, daß innerhalb der Statements dann ein Wert fehlt, was den Parser verwirrt: filename "pxelinux.0"; option domain-name "multiselektivrep.test"; option domain-name-servers ; ^ ERROR Zum Debuggen solcher falschen Konfigurationsdateien ist es hilfreich, die generierten Zeilen aus der /var/log/syslog zu extrahieren und darin die Fehler zu suchen; insbesondere sind dann auch die im Syslog angegebenen Zeilennummern wieder sinnreich: sed -ne "s/.*dhcpd: Sending config line '\(.*\)'/\1/" -e T -e 's/#DHCP Service /\n/' -e 's/\([;{]\) /\1\n/g' -e 's/\n*' -e p /var/log/syslog
Aus dem Patch 50_dhcp_policy.patch für dhcp3: Funktion univention_parse_policy(...): + case STATEMENT_NORMAL: + /* Add comma separated list of attribute values after statement name */ + strncat(buf, dhcp_name, bufsize); + strncat(buf, " ", bufsize); + for (i=0; presult->values[i] != NULL; i++) { + if (i > 0) + strncat(buf, ", ", bufsize); + if (quotes) + strncat(buf, "\"", bufsize); + strncat(buf, presult->values[i], bufsize); + if (quotes) + strncat(buf, "\"", bufsize); + } + strncat(buf, ";\n", bufsize); + break; Hier wird immer dhcp_name (==> "option domain-name-servers") eingefügt und mit ";\n" abgeschlossen, auch wenn presult->values[0] == NULL (==> Liste leer) ist. Das führt dann zu falschen Configeinträgen. Auch STATEMENT_REVERSE sollte geprüft werden. Das sieht auf den ersten Blick nicht richtiger aus.
Created attachment 2729 [details] syslog2dhcpd.conf sed-Skript zum extrahieren der dhcpd.conf aus /var/log/syslog
*** Bug 20578 has been marked as a duplicate of this bug. ***
Innerhalb eines Pool{}-Statment sind u.a. folgende Statement illegal: deny client-updates; ddns-hostname
Für univentionDhcpAuthoritative ist nur folgendes sinnvoll: if (context & (CONTEXT_SHARED_NETWORK | CONTEXT_SUBNET | CONTEXT_SERVICE))
This issue has been filed against UCS 2.4. UCS 2.4 is out of maintenance and many UCS components have vastly changed in later releases. Thus, this issue is now being closed. If this issue still occurs in newer UCS versions, please use "Clone this bug". In this case please provide detailed information on how this issue is affecting you.
*** Bug 23402 has been marked as a duplicate of this bug. ***
DHCP policy "policies/dhcp_scope" cannot be applied to dhcp/pool, but its values fo "unknownClients" is still affecting it. ucs/management/univention-directory-manager-modules/modules/univention/admin/handlers/policies/dhcp_scope.py:65 > policy_apply_to = ["dhcp/service", "dhcp/subnet", "dhcp/host", "dhcp/sharedsubnet", "dhcp/shared"] From a950995fd047f273ca2b729b2b3e921acefba0ba Mon Sep 17 00:00:00 2001 Message-Id: <a950995fd047f273ca2b729b2b3e921acefba0ba.1542702578.git.hahn@univention.de> From: Philipp Hahn <hahn@univention.de> Date: Tue, 20 Nov 2018 09:28:29 +0100 Subject: [PATCH] Bug #20222: remove univentionDhcpUnknownClients for pools --- server/ldap.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/server/ldap.c b/server/ldap.c index c6c1ce3b..e71d68fa 100644 --- a/server/ldap.c +++ b/server/ldap.c @@ -645,7 +645,7 @@ univention_parse_policies (enum CONTEXT context, LDAPMessage * ent, struct parse univention_parse_policy(phandle, "univentionDhcpLeaseTimeMax", "max-lease-time", NULL, 0, STATEMENT_NORMAL, cfile); if (context & (CONTEXT_CLASS | CONTEXT_SUBCLASS | CONTEXT_HOST | CONTEXT_SHARED_NETWORK | CONTEXT_SUBNET | CONTEXT_POOL | CONTEXT_GROUP | CONTEXT_SERVICE)) // Bug #20222 univention_parse_policy(phandle, "univentionDhcpLeaseTimeDefault", "default-lease-time", NULL, 0, STATEMENT_NORMAL, cfile); - if (context & (CONTEXT_CLASS | CONTEXT_SUBCLASS | CONTEXT_HOST | CONTEXT_SHARED_NETWORK | CONTEXT_SUBNET | CONTEXT_POOL | CONTEXT_GROUP | CONTEXT_SERVICE)) // Bug #20222 + if (context & (CONTEXT_CLASS | CONTEXT_SUBCLASS | CONTEXT_HOST | CONTEXT_SHARED_NETWORK | CONTEXT_SUBNET | CONTEXT_GROUP | CONTEXT_SERVICE)) // Bug #20222 univention_parse_policy(phandle, "univentionDhcpUnknownClients", "unknown-clients", NULL, 0, STATEMENT_REVERSE, cfile); if (context & (CONTEXT_CLASS | CONTEXT_SUBCLASS | CONTEXT_HOST | CONTEXT_SHARED_NETWORK | CONTEXT_SUBNET | CONTEXT_GROUP | CONTEXT_SERVICE)) // Bug #20222 univention_parse_policy(phandle, "univentionDhcpBootp", "bootp", NULL, 0, STATEMENT_REVERSE, cfile); -- 2.11.0
r18525 | Bug #20222 dhcp: unknownClients @ -POOL Package: isc-dhcp Version: 4.3.5-3+deb9u1A~4.4.0.201903251533 Branch: ucs_4.4-0 Scope: errata4.4-0 [4.4-0] 3a9e33d784 Bug #20222: isc-dhcp 4.3.5-3+deb9u1A~4.4.0.201903251533 doc/errata/staging/isc-dhcp.yaml | 12 ++++++++++++ 1 file changed, 12 insertions(+) QA: ~/BUG/20222-dhcp-policy.sh
@arvid, sorry i couldn't make it, please find somebody else for qa if this is important
Ok, works. Once activated the log file /var/log/dhcp-ldap-startup.log shows that the pool config now has "deny known clients;" instead of "deny unknown clients;" after using UMC to configure the pool as described in the ticket. Advisory: Ok. Note: It's a bit ugly that the 30_policy.quilt file still contains 27 comments referencing this bug. But apparently there are still things to be improved, so we better keep the "pointer" to this bug there.
<http://errata.software-univention.de/ucs/4.4/48.html>