UCS 4.1-2 Release Notes

Release Notes für die Inbetriebnahme und Aktualisierung von Univention Corporate Server (UCS) 4.1-2


Inhaltsverzeichnis

1. Release-Highlights
2. Hinweise zum Update
2.1. Empfohlene Update-Reihenfolge
2.2. UCS-Installations-DVDs nur noch als 64-Bit-Variante
3. Vorbereitung des Updates
4. Nachbereitung des Updates
5. Hinweise zum Einsatz einzelner Pakete
5.1. Erfassung von Nutzungsstatistiken
5.2. Umfang des Sicherheits-Supports von WebKit, Konqueror und QtWebKit
5.3. Empfohlene Browser für den Zugriff auf Univention Management Console
6. Changelog
6.1. General
6.2. Basic system services
6.2.1. Linux kernel and firmware packages
6.2.2. Univention Configuration Registry
6.2.3. Boot Loader
6.3. Univention Management Console
6.3.1. Univention Management Console web interface
6.3.2. Univention Management Console server
6.3.3. Univention App Center
6.3.4. Univention Directory Manager UMC modules and command line interface
6.3.5. Modules for system settings / setup wizard
6.3.6. DNS module
6.3.7. Printers module
6.3.8. Other modules
6.4. Software deployment
6.5. System services
6.5.1. SAML
6.5.2. Univention self service
6.5.3. Kerberos
6.5.4. Apache
6.5.5. PAM / Local group cache
6.6. Services for Windows
6.6.1. Samba
6.6.2. Univention AD Takeover
6.6.3. Univention Active Directory Connection
6.7. Other changes

§Kapitel 1. Release-Highlights

Mit Univention Corporate Server 4.1-2 steht das zweite Point-Release für Univention Corporate Server (UCS) 4.1 zur Verfügung. Es umfasst diverse Detailverbesserungen und Fehlerkorrekturen. Die wichtigsten Änderungen im Überblick:

  • Diverse wichtige Sicherheitsupdates wurden in UCS 4.1-2 integriert, u.a. für Samba, Apache, OpenSSL und die GNU C-Bibliothek (glibc).

  • Das Update auf Samba 4.3.7 beinhaltet diverse Sicherheitsaktualisierungen. Zusätzlich wurden diverse Fehler behoben, bspw. werden fehlgeschlagene Anmeldeversuche nun korrekt gezählt.

  • Der Active Directory Connector verwendet für die Synchronisation der Passwort-Hashes nun Standard-Schnittstellen des Active Directory. Dadurch entfällt der Passwort-Synchronisationsdienst auf Windows-Seite.

  • Das Erscheinungsbild der Apps im Univention App Center wurde überarbeitet und verbessert, u.a. werden nun die Lizenzbedingungen der Apps angezeigt.

§Kapitel 2. Hinweise zum Update

Während der Aktualisierung kann es zu temporären Ausfällen von Diensten innerhalb der Domäne kommen. Aus diesem Grund sollte das Update innerhalb eines Wartungsfensters erfolgen. Grundsätzlich wird empfohlen, das Update zunächst in einer Testumgebung einzuspielen und zu testen. Die Testumgebung sollte dabei identisch zur Produktivumgebung sein. Je nach Systemgeschwindigkeit, Netzwerkanbindung und installierter Software kann das Update zwischen 20 Minuten und mehreren Stunden dauern.

§2.1. Empfohlene Update-Reihenfolge

In Umgebungen mit mehr als einem UCS-System muss die Update-Reihenfolge der UCS-Systeme beachtet werden:

Auf dem Domänencontroller Master wird die maßgebliche (authoritative) Version des LDAP-Verzeichnisdienstes vorgehalten, die an alle übrigen LDAP-Server der UCS-Domäne repliziert wird. Da bei Release-Updates Veränderungen an den LDAP-Schemata auftreten können, muss der Domänencontroller Master bei einem Release-Update immer als erstes System aktualisiert werden.

§2.2. UCS-Installations-DVDs nur noch als 64-Bit-Variante

UCS-Installations-DVDs werden ab UCS 4 nur noch für 64-Bit-Architekturen bereitgestellt. Vorhandene 32-Bit UCS 3 Systeme können weiterhin über das Online Repository oder über Update DVDs auf UCS 4 aktualisiert werden. Die 32-Bit-Architektur wird für die gesamte UCS 4 Maintenance noch unterstützt.

§Kapitel 3. Vorbereitung des Updates

Es sollte geprüft werden, ob ausreichend Festplattenplatz verfügbar ist. Eine Standard-Installation benötigt min. 6 GB Speicherplatz. Das Update benötigt je nach Umfang der vorhanden Installation ungefähr 2 GB weiteren Speicherplatz zum Herunterladen und Installieren der Pakete.

Für das Update sollte eine Anmeldung auf der lokalen Konsole des Systems mit dem Benutzer root durchgeführt und das Update dort gestartet werden. Alternativ kann das Update über Univention Management Console durchgeführt werden.

Eine Remote-Aktualisierung über SSH wird nicht empfohlen, da dies beispielsweise bei Unterbrechung der Netzverbindung zum Abbruch des Update-Vorgangs und zu einer Beeinträchtigung des Systems führen kann. Sollte dennoch eine Aktualisierung über eine Netzverbindung durchgeführt werden, ist sicherzustellen, dass das Update bei Unterbrechung der Netzverbindung trotzdem weiterläuft. Hierfür können beispielsweise die Tools screen oder at eingesetzt werden, die auf allen UCS Systemrollen installiert sind.

§Kapitel 4. Nachbereitung des Updates

Nach dem Update müssen die neuen oder aktualisierten Join-Skripte ausgeführt werden. Dies kann auf zwei Wegen erfolgen: Entweder über das UMC-Modul Domänenbeitritt oder durch Aufruf des Befehls univention-run-join-scripts als Benutzer root.

Anschließend muss das UCS-System neu gestartet werden.

§Kapitel 5. Hinweise zum Einsatz einzelner Pakete

§5.1. Erfassung von Nutzungsstatistiken

Bei Verwendung der UCS Core Edition (die in der Regel für Evaluationen von UCS herangezogen wird) werden anonyme Nutzungsstatistiken zur Verwendung von Univention Management Console erzeugt. Die aufgerufenen Module werden dabei von einer Instanz des Web-Traffic-Analyse-Tools Piwik protokolliert. Dies ermöglicht es Univention die Entwicklung von Univention Management Console besser auf das Kundeninteresse zuzuschneiden und Usability-Verbesserungen vorzunehmen.

Diese Protokollierung erfolgt nur bei Verwendung der UCS Core Edition. Der Lizenzstatus kann überprüft werden durch den Eintrag Lizenz -> Lizenzinformation des Benutzermenüs in der rechten, oberen Ecke von Univention Management Console. Steht hier unter Lizenztyp der Eintrag UCS Core Edition wird eine solche Edition verwendet. Bei Einsatz einer regulären UCS-Lizenz erfolgt keine Teilnahme an der Nutzungsstatistik.

Die Protokollierung kann unabhängig von der verwendeten Lizenz durch Setzen der Univention Configuration Registry-Variable umc/web/piwik auf false deaktiviert werden.

§5.2. Umfang des Sicherheits-Supports von WebKit, Konqueror und QtWebKit

WebKit, Konqueror und QtWebKit werden in UCS im maintained-Zweig des Repositorys mitgeliefert, aber nicht durch Sicherheits-Updates unterstützt. WebKit wird vor allem für die Darstellung von HTML-Hilfeseiten u.ä. verwendet. Als Web-Browser sollte Firefox eingesetzt werden.

§5.3. Empfohlene Browser für den Zugriff auf Univention Management Console

Univention Management Console verwendet für die Darstellung der Web-Oberfläche zahlreiche JavaScript- und CSS-Funktionen. Cookies müssen im Browser zugelassen sein. Die folgenden Browser werden empfohlen:

  • Chrome ab Version 37

  • Firefox ab Version 38

  • Internet Explorer ab Version 11

  • Safari und Safari Mobile ab Version 9

Auf älteren Browsern können Darstellungs- oder Performanceprobleme auftreten.

§Kapitel 6. Changelog

Die Changelogs mit den detaillierten Änderungsinformationen werden nur in Englisch gepflegt. Aufgeführt sind die Änderungen seit UCS 4.1-1:

§6.2. Basic system services

§6.2.1. Linux kernel and firmware packages

  • The mount-point option no_mbcache has been added for ext4 file systems to disable the Filesystem Meta Information Block Cache (mbcache). The cache is used to manage shared Extended Attributes (EAs), which are also used to store Access Control Lists (ACLs) for files and directories. For some work-loads which use EAs with many different values the cache has performance issues and can dead-lock the system in certain cases. Samba is one example which uses EAs to store the DOS attributes and NT ACLs. The cache can be disabled by re-mounting the file system using mount -o remount,no_mbcache "$fs" or by adding the option no_mbcache in /etc/fstab and rebooting the system (Bug 41054).
  • The meta packages for the non-PAE i486 kernel image and header files have been removed (Bug 40912).

§6.2.2. Univention Configuration Registry

  • Service information files in /etc/univention/service.info/services are now only considered if they carry the filename suffix .cfg. The behavior is now similar to the treatment of UCR info files. (Bug 40383).

§6.2.3. Boot Loader

  • On UCS systems booting via BIOS, an error would happen if debconf grub-pc/install_devices contains a wrong device. If it contains a wrong device the GRUB installation happens but fails, leading to an inconsistent installation between /boot/grub and the GRUB directly on the disk. This makes the system not bootable. This update checks all devices in grub-pc/install_devices, removing invalid devices. Additionally a guess is made for the correct boot device which will be added to grub-pc/install_devices if grub-pc/install_devices is currently empty or there were invalid devices. If any changes were made, grub-install is run on all devices in grub-pc/install_devices. See also SDB 1356 and SDB 1357. (Bug 40654, Bug 40660).
  • Localization of the GRUB boot menu has been disabled. The title string gets translated to the preferred language of the user triggering menu generation process. This breaks selecting a boot kernel through the Univention Configuration Registry variable grub/default, as it doesn't work on systems using a different language (Bug 41046).
  • Remove extra argument to grub-mkdevicemap as it is not needed (Bug 40586).
  • The menu titles are now quoted to allow strings containing blanks (Bug 25157).
  • Disable saving the selection by default as it is not supported on all file systems (Bug 40557).
  • Add support to configure serial console support through the Univention Configuration Registry variables grub/terminal and grub/serialcommand. Thanks to Lutz Willek for the patch (Bug 40596).

§6.3. Univention Management Console

§6.3.1. Univention Management Console web interface

  • If error messages contained a "%" they weren't displayed in UMC. This issue has been fixed (Bug 40749).
  • The expiration date has been increased by 5 years. This results in a traceback during the login on the 29th of February. This issue has been fixed (Bug 40790).
  • It's now possible to use multiple languages in one session when using HTTP basic authentication (via command line) (Bug 40806).
  • The umc.store API allows to contain Arrays in query requests now (Bug 38639).
  • An error in the comparison function umc.tools.cmpObjects which could cause that e.g. sorting the grid header wasn't possible anymore has been fixed (Bug 35407).
  • The location where UMC redirects after logout is now configurable via the Univention Configuration Registry variable umc/logout/location (Bug 40613).
  • The UMC login page does not warn about an insecure connection when logging in from the same machine the UMC runs on (Bug 40638).
  • Error dialogs concerning Piwik are now suppressed (Bug 30822).
  • Ensure that the first non-empty UMC category is shown at startup (Bug 40923).
  • Add a hook interface for other packages for extending the behavior of UMC (Bug 40118).
  • The user menu in the UMC is now more touch-friendly for small screens and the use on mobile devices (Bug 38622).
  • The context menu for links is now working as expected (Bug 40939).
  • Wizards are now scrolling to the top when switching the page (Bug 40939).
  • Minor bugfixes for the widget LinkList to accept static values (Bug 41081).
  • The context menu for link tiles in the UMC overview is now correctly displayed (Bug 41087).
  • Module tiles in the UMC overview are now correctly flagged favorites (Bug 41161).

§6.3.2. Univention Management Console server

  • A UMC server crash is prevented which might happen during session timeout (Bug 40627).
  • The property translationId for UMC XML files was previously only evaluated for UMC module flavors. With this update, translationId is also correctly evaluated for module and link entries (Bug 40930).
  • The UMC server process now runs with 64512 maximum number of opened files. The robustness of the UMC server has been enhanced (Bug 39909).

§6.3.3. Univention App Center

  • Docker Apps now do not have their repository removed in the container (Bug 40315).
  • Upgrading Apps now does not lead to an error just after the installation of packages (Bug 40674).
  • Upgrading Apps now does not lead to an error when upgrading their master packages (Bug 40713).
  • The application information like vendor, description were HTML encoded twice at some places (Bug 35324).
  • If no package changes are detected an application could not be upgraded (Bug 40005).
  • The error handling of the apps module has been improved (Bug 40797).
  • The application metadata are ensured to be updated before installing or upgrading an application. This prevents errors when installing applications on remote hosts (Bug 40804).
  • Apps may define ports they want to occupy exclusively. Docker Apps checked before installation whether an already installed App excepts exclusive access to one of these ports. This check has been extended to Non-Docker Apps (Bug 40508).
  • Apps now show general information about the terms under which the software may be used. If the App ships a license file, it may be read before and after installation (Bug 40428).
  • Internal adaptations have been added to allow for extending App Center functionalities (Bug 40827).
  • univention-register-apps now uses the new App Center API and has been deprecated (Bug 40754).
  • An error during loading the App Center cache has been fixed which prevented using the App Center when the cache file was corrupted (Bug 40875).
  • Malformed files for meta information could cause the App Center to show a traceback. This has been fixed, those files are ignored now (Bug 40874).
  • Upon upgrading the App Center software package, the App cache could get outdated. This caused an error in the App Center in some cases (Bug 40882).
  • Improved the image gallery in the details page of an app. The handling of YouTube videos has been improved and enlarging thumbnails is smoother (Bug 39794).
  • A help text still mentioned the Free-for-personal-Use Edition. This has been replaced with the UCS Core Edition (Bug 38530).
  • The overview of software changes has been enhanced (Bug 39896).
  • A margin has been added to the footer buttons of the installation error page (Bug 39907).
  • Join scripts and unjoin scripts are now correctly removed while installing and uninstalling an App (Bug 40879).
  • Minor code changes make other projects easier that rely on the App Center (Bug 40943).
  • univention-app shell now correctly exits with the exit code of the called command (Bug 40550).
  • univention-app installed unsigned packages. This issue has been fixed (Bug 40861).
  • The Package Management module can be opened via hash again (Bug 40991).
  • Details of software packages can be shown again (Bug 40992).
  • The installation status of Docker Apps was determined incorrectly by certain functions of the App Center. This has been fixed (Bug 41009).
  • Join scripts of Docker Apps are run via univention-run-join-scripts instead of being called directly (Bug 40984).
  • The certificate of the App Center server is now always validated in HTTPS connections (Bug 30620).
  • When extracting new App meta data, the permissions are set explicitly for these files instead of relying on the archive (Bug 41029).
  • Some images were not shown in Internet Explorer. This issue has been resolved (Bug 39927).
  • The parameter for creating a Docker Container can now be adjusted by the App (Bug 41062).
  • Additional App files of installed Apps are now also updated (Bug 39368).

§6.3.4. Univention Directory Manager UMC modules and command line interface

  • Some LDAP search requests have been optimized in the handler modules (Bug 40651).
  • In situations where the IP address of a created computer contained two equal blocks (e.g. 10.10.20.0/24) invalid pointer records were created. This issue has been fixed (Bug 39030).
  • The layout of DNS service and text records have been adjusted to be more readable (Bug 40775).
  • It is now prevented to create extended attributes for users with required fields without specifying a default value. Those extended attributes caused problems during upgrading to UCS 4.1 or installing various apps (Bug 40824).
  • The search filter for name in the dns/dns module now also finds zones and pointer records (Bug 23804).
  • The search filter for dhcpPermitList in the dhcp/pool lookup function has been fixed (Bug 39343).
  • The search filter for fqdn has been adapted so it can be used to search for multiple computers (Bug 34327).
  • Some columns which show more information in the grid of UMC have been added to the DNS handler modules (Bug 38639).
  • The error message for malformed paths in shares has been improved (Bug 41040).
  • Multiple modules allowed to select special Docker host objects when it came to choosing a computer object. This option has been removed as it makes no sense (Bug 41041).
  • importing the python modules of univention.admin doesn't depend on the order or previous imports anymore (Bug 33359).
  • The correct referencing objects are now shown in a policy. Previously caching caused wrong objects to be shown (Bug 33344).
  • A link that redirects to the subscription prices for UCS on the Univention website has been added to the license dialog of UCS core editions (Bug 41174).
  • Searching for a specific object type underneath of cn=univention in the LDAP directory did not yield results and has been repaired (Bug 32843).
  • Searching for properties which require an exact match did not work because the LDAP filter was prepended with *. The search for e.g. the gidNumber of a group is now possible again (Bug 37904).
  • Searching for properties using the LDAPSearch syntax class caused a traceback. This issue has been fixed (Bug 38635).
  • The users/self module can now be activated again via setting the Univention Configuration Registry variable umc/module/udm/users/self/disabled to false (Bug 39016).

§6.3.5. Modules for system settings / setup wizard

  • Access restrictions on non DC master App Appliances have been corrected in the system activation package (Bug 39700).
  • App Appliances now ensure that the UCS domain they join has an activated license (Bug 39700).
  • The virtual keyboard to enter special characters now supports touch devices (Bug 40572).
  • The initial setup used a script to update the App Center files that failed under certain circumstances. Now a script is called that works in unjoined environments (Bug 40897).
  • The detection of a docker environment caused the PXE installation to fail. This issue has been fixed (Bug 41143).
  • The list of supported browser versions which is displayed on the console upon login to a UCS system (message of the day) has been updated (Bug 40580).

§6.3.6. DNS module

  • The PTR record entries are now sorted numerical in the overview of a reverse zone (Bug 40747).
  • The DNS module now displays more information in the grid columns and forward zones are now shown before reverse zones in the tree view (Bug 38639).

§6.3.7. Printers module

  • Performance of the UMC print quota overview has been improved (Bug 33792).

§6.3.8. Other modules

  • Hosts which are docker containers are now excluded from the check in the diagnostic module if the SSH connection to these hosts is possible (Bug 40563).

§6.4. Software deployment

  • The preup.sh and postup.sh scripts have been updated to match UCS-4.1-2 (Bug 41157).
  • Linux 4.1 kernel package are now also considered for removal an upgrades (Bug 40748).
  • The change from HTTP to HTTPS breaks the old updater from UCS-4.0-4, which is still running after the update to 4.1-0. As such all updates stop there. Running the same command again continues installing updates, as then the new updater is used. This update fixes this problem by re-executing the updater after each update to guarantee, that the latest version is always used (Bug 40338).
  • The dists/**/Packages* files created for local repositories did contain multiple entries for the same package. This breaks the Debian installer and other tools like debootstrap, which use a simpler implementation than APT. A filter has been added to filter out old versions and duplicate entries (Bug 40932).
  • Software package versions from the current release are preferred over packages from previous releases even when they are newer (Bug 41083).
  • The version patchlevel is now set to the correct value in the package univention-updater (Bug 41165).
  • The detection of the local repository prefix has been fixed (Bug 41166).

§6.5. System services

§6.5.1. SAML

  • The joinscript uses cURL instead of wget to configure SAML service provider setting to prevent conflicts with old SHA-1 or MD5 SSL certificates (Bug 40658).
  • A unjoin-script has been added which removes the SAML configuration for UMC (Bug 40738).
  • The creation of the internal SAML LDAP user ignores extended attributes now (Bug 40741).
  • The extended attribute for the SAML service provider can now be used in user templates (Bug 40895).

§6.5.2. Univention self service

  • The robustness and performance have been increased by not forking a UMC module process on each HTTP request (Bug 40799).

§6.5.3. Kerberos

  • The Univention Configuration Registry variable description for kerberos/autostart did not clearly explain that this variable needs to remain set to no on Samba4/AD DCs (Bug 40383).

§6.5.4. Apache

  • Some links in the footer of the UCS overview site have been changed (Bug 41175).

§6.5.5. PAM / Local group cache

  • The time limit of ldap searches in libnss-ldap is now configurable via the Univention Configuration Registry variable nssldap/timelimit and defaults to 30 seconds. This prevents hanging UMC server processes when changing network and IP settings in certain circumstances (Bug 40968).

§6.6. Services for Windows

§6.6.1. Samba

  • In case an account locking password policy has been defined for the domain, e.g. via samba-tool domain passwordsettings, the badPwdCount increased in steps of two for each failed login attempt at a Windows client (Bug 40328).
  • The patch for CVE-2015-5252 caused a regression for the special share path /. This issue has been fixed (Bug 40847).
  • This update sets the new smb.conf option ldap server require strong auth to allow_sasl_over_tls. Additionally it configures tls verify peer to ca_and_name. The raised security requirements of Samba server components may require configuration adjustments for older clients. Univention Corporate Client (UCC) 1.0 running a Linux kernel version prior to 3.8 for example require an adjustment of the mount.cifs options. In that case the value for mount option sec needs to be adjusted to ntlmsspi, e.g. by setting ucr set ucc/mount/cifshome/options="serverino,sec=ntlmsspi". UCC 2.x clients (i.e. Linux kernel above 3.8) don't require this adjustment (Bug 40988).
  • This update makes additional smb.conf options configurable via Univention Configuration Registry: samba/ntlm/auth, samba/server/signing samba/tls/verify/peer samba/tls/priority samba/tls/dh/params/file and samba/ldap/server/require/strong/auth (Bug 41034).

§6.6.2. Univention AD Takeover

  • The Active Directory takeover fails if the Active Directory NetBIOS domain name is unusual. This issue has been fixed (Bug 39070).

§6.6.3. Univention Active Directory Connection

  • Support for synchronization of the OpenLDAP attribute mailAlternativeAddress with the AD attribute proxyAddresses has been added. This can be switched on for users and groups individually by the new pair of Univention Configuration Registry variables connector/ad/mapping/user/alternativemail and connector/ad/mapping/group/alternativemail (Bug 40357).
  • The synchronization of the password hashes was implemented by using a service which was installed on the Microsoft Active Directory server. The Univention AD Connector now uses different interfaces of the Active Directory for reading and writing the password hashes. That means, the UCS AD Connector service which is installed on the Microsoft Active Directory server can be stopped after installing this update (Bug 40745).
  • If a user was moved on UCS side, the group cache wasn't always updated and an error occurred. This issue has been fixed (Bug 41028).
  • The AD Connector is now restarted after rotating the AD Connector log files (Bug 32265).

§6.7. Other changes

  • Various issues have been fixed in ucslint which checks a source package for errors (Bug 40386, Bug 40639, Bug 40647).
  • Plymouth now uses the framebuffer renderer as default (Bug 40715).