Problem: DHCP "not authoritative for..."



Kudos @ahrnke and @pepe


/var/log/daemon.log shows entries like

Oct 19 20:09:02 ucs42 dhcpd[7640]: DHCPINFORM from 192.168.156.xx1 via eth0: not authoritative for subnet


The configuration is missing the “authoritative” statement

from man 5 dhcpd.conf:

The authoritative statement


         not authoritative;

         The DHCP server will normally assume that the configuration information about a given network segment is not known to be correct and is not authoritative.  This is so that if a  naive  user
         installs  a  DHCP server not fully understanding how to configure it, it does not send spurious DHCPNAK messages to clients that have obtained addresses from a legitimate DHCP server on the

         Network administrators setting up authoritative DHCP servers for their networks should always write authoritative; at the top of their configuration file to indicate that  the  DHCP  server
         should  send  DHCPNAK  messages  to misconfigured clients.  If this is not done, clients will be unable to get a correct IP address after changing subnets until their old lease has expired,
         which could take quite a long time.

         Usually, writing authoritative; at the top level of the file should be sufficient.  However, if a DHCP server is to be set up so that it is aware of some networks for which it is authorita‐
         tive and some networks for which it is not, it may be more appropriate to declare authority on a per-network-segment basis.

         Note  that  the  most specific scope for which the concept of authority makes any sense is the physical network segment - either a shared-network statement or a subnet statement that is not
         contained within a shared-network statement.  It is not meaningful to specify that the server is authoritative for some subnets within a shared network, but not  authoritative  for  others,
         nor is it meaningful to specify that the server is authoritative for some host declarations and not others.


Command Line

Given that the the DHCP-Service provided by UCS should act as authoritative it is required to add a “DHCP statements” policy as mentioned in Further DHCP policies which at least should contain the “authoritative” configuration.

$ udm policies/dhcp_statements list

DN: cn=default dhcp statements,cn=statements,cn=dhcp,cn=policies,dc=...
  authoritative: yes
  boot-unknown-clients: None
  getLeaseHostnames: None
  ldapFilter: None
  name: default dhcp statements
  pingCheck: None
  serverIdentifier: None
  serverName: None

If there is no policy with an “authoritative” variable you have to create it. Use either web based UMC or use udm as follows:

udm policies/dhcp_statements create --position "cn=policies,dc=domain,dc=de" --set name="DHCP authoritative" --set authoritative=yes

Once the policy is created, attach it to the DHCP service (Again, through UMC or udm):

udm dhcp/service modify --dn ",cn=dhcp,dc=domain,dc=de" --policy-reference  "cn=DHCP authoritative,cn=policies,dc=domain,dc=de"
$ udm dhcp/service list

DN: cn=servicename,cn=dhcp,...
  service: servicename
  univentionPolicyReference: cn=DHCP authoritative,cn=policies,dc=domain,dc=de

Web based with UMC as Web-UI

Navigate to Domain --> DHCP --> RIGHT click on Domain --> select Policies
Select Policy "DHCP Statement” and RIGHT click to Edit Policy
Set “Authoritative” to “Yes


Gelöst: DHCP Meldungen in /var/log/daemon.log