UCS 4.1-5 Release Notes

Release Notes für die Inbetriebnahme und Aktualisierung von Univention Corporate Server (UCS) 4.1-5


Inhaltsverzeichnis

1. Release-Highlights
2. Hinweise zum Update
2.1. Empfohlene Update-Reihenfolge
2.2. UCS-Installations-DVDs nur noch als 64-Bit-Variante
3. Vorbereitung des Updates
4. Nachbereitung des Updates
5. Hinweise zum Einsatz einzelner Pakete
5.1. Erfassung von Nutzungsstatistiken
5.2. Umfang des Sicherheits-Supports von WebKit, Konqueror und QtWebKit
5.3. Empfohlene Browser für den Zugriff auf Univention Management Console
6. Changelog
6.1. General
6.2. Basic system services
6.2.1. Univention Configuration Registry
6.3. Domain services
6.3.1. OpenLDAP
6.4. Univention Management Console
6.4.1. Univention Management Console web interface
6.4.2. Univention App Center
6.4.3. Univention Directory Manager UMC modules and command line interface
6.4.4. Modules for system settings / setup wizard
6.4.5. Univention Directory Reports
6.4.6. License module
6.4.7. Software update module
6.4.8. Policies
6.5. Software deployment
6.6. System services
6.6.1. Mail services
6.6.2. SSL
6.6.3. Proxy services
6.6.4. Apache
6.7. Virtualization
6.7.1. Univention Virtual Machine Manager (UVMM)
6.8. Container Technologies
6.9. Services for Windows
6.9.1. Samba
6.9.2. Univention S4 Connector
6.9.3. Univention Active Directory Connection
6.10. Other changes

§Kapitel 1. Release-Highlights

Mit Univention Corporate Server 4.1-5 steht das fünfte Point-Release für Univention Corporate Server (UCS) 4.1 zur Verfügung. Es umfasst diverse Detailverbesserungen und Fehlerkorrekturen. Die wichtigsten Änderungen im Überblick:

  • Samba wurde mit wichtigen Sicherheitsupdates aktualisiert.

  • Der Linux Kernel wurde auf den letzten stabilen 4.1er Longterm-Kernel aktualisiert. Dieser beinhaltet diverse Sicherheitsaktualisierungen, Verbesserungen in der Stabilität, sowie neuere und aktualisierte Treiber für eine verbesserte Hardware-Unterstützung.

  • Die Startzeit des App Center UMC Moduls wurde verbessert. Diese Optimierung wird durch das differenzielle Herunterladen von aktualisierten Daten vom App Center Server mit Hilfe von zsync erreicht.

§Kapitel 2. Hinweise zum Update

Während der Aktualisierung kann es zu temporären Ausfällen von Diensten innerhalb der Domäne kommen. Aus diesem Grund sollte das Update innerhalb eines Wartungsfensters erfolgen. Grundsätzlich wird empfohlen, das Update zunächst in einer Testumgebung einzuspielen und zu testen. Die Testumgebung sollte dabei identisch zur Produktivumgebung sein. Je nach Systemgeschwindigkeit, Netzwerkanbindung und installierter Software kann das Update zwischen 20 Minuten und mehreren Stunden dauern.

§2.1. Empfohlene Update-Reihenfolge

In Umgebungen mit mehr als einem UCS-System muss die Update-Reihenfolge der UCS-Systeme beachtet werden:

Auf dem Domänencontroller Master wird die maßgebliche (authoritative) Version des LDAP-Verzeichnisdienstes vorgehalten, die an alle übrigen LDAP-Server der UCS-Domäne repliziert wird. Da bei Release-Updates Veränderungen an den LDAP-Schemata auftreten können, muss der Domänencontroller Master bei einem Release-Update immer als erstes System aktualisiert werden.

§2.2. UCS-Installations-DVDs nur noch als 64-Bit-Variante

UCS-Installations-DVDs werden ab UCS 4 nur noch für 64-Bit-Architekturen bereitgestellt. Vorhandene 32-Bit UCS 3 Systeme können weiterhin über das Online Repository oder über Update DVDs auf UCS 4 aktualisiert werden. Die 32-Bit-Architektur wird für die gesamte UCS 4 Maintenance noch unterstützt.

§Kapitel 3. Vorbereitung des Updates

Es sollte geprüft werden, ob ausreichend Festplattenplatz verfügbar ist. Eine Standard-Installation benötigt min. 6 GB Speicherplatz. Das Update benötigt je nach Umfang der vorhanden Installation ungefähr 2 GB weiteren Speicherplatz zum Herunterladen und Installieren der Pakete.

Für das Update sollte eine Anmeldung auf der lokalen Konsole des Systems mit dem Benutzer root durchgeführt und das Update dort gestartet werden. Alternativ kann das Update über Univention Management Console durchgeführt werden.

Eine Remote-Aktualisierung über SSH wird nicht empfohlen, da dies beispielsweise bei Unterbrechung der Netzverbindung zum Abbruch des Update-Vorgangs und zu einer Beeinträchtigung des Systems führen kann. Sollte dennoch eine Aktualisierung über eine Netzverbindung durchgeführt werden, ist sicherzustellen, dass das Update bei Unterbrechung der Netzverbindung trotzdem weiterläuft. Hierfür können beispielsweise die Tools screen oder at eingesetzt werden, die auf allen UCS Systemrollen installiert sind.

§Kapitel 4. Nachbereitung des Updates

Nach dem Update müssen die neuen oder aktualisierten Join-Skripte ausgeführt werden. Dies kann auf zwei Wegen erfolgen: Entweder über das UMC-Modul Domänenbeitritt oder durch Aufruf des Befehls univention-run-join-scripts als Benutzer root.

Anschließend muss das UCS-System neu gestartet werden.

§Kapitel 5. Hinweise zum Einsatz einzelner Pakete

§5.1. Erfassung von Nutzungsstatistiken

Bei Verwendung der UCS Core Edition (die in der Regel für Evaluationen von UCS herangezogen wird) werden anonyme Nutzungsstatistiken zur Verwendung von Univention Management Console erzeugt. Die aufgerufenen Module werden dabei von einer Instanz des Web-Traffic-Analyse-Tools Piwik protokolliert. Dies ermöglicht es Univention die Entwicklung von Univention Management Console besser auf das Kundeninteresse zuzuschneiden und Usability-Verbesserungen vorzunehmen.

Diese Protokollierung erfolgt nur bei Verwendung der UCS Core Edition. Der Lizenzstatus kann überprüft werden durch den Eintrag Lizenz -> Lizenzinformation des Benutzermenüs in der rechten, oberen Ecke von Univention Management Console. Steht hier unter Lizenztyp der Eintrag UCS Core Edition wird eine solche Edition verwendet. Bei Einsatz einer regulären UCS-Lizenz erfolgt keine Teilnahme an der Nutzungsstatistik.

Die Protokollierung kann unabhängig von der verwendeten Lizenz durch Setzen der Univention Configuration Registry-Variable umc/web/piwik auf false deaktiviert werden.

§5.2. Umfang des Sicherheits-Supports von WebKit, Konqueror und QtWebKit

WebKit, Konqueror und QtWebKit werden in UCS im maintained-Zweig des Repositorys mitgeliefert, aber nicht durch Sicherheits-Updates unterstützt. WebKit wird vor allem für die Darstellung von HTML-Hilfeseiten u.ä. verwendet. Als Web-Browser sollte Firefox eingesetzt werden.

§5.3. Empfohlene Browser für den Zugriff auf Univention Management Console

Univention Management Console verwendet für die Darstellung der Web-Oberfläche zahlreiche JavaScript- und CSS-Funktionen. Cookies müssen im Browser zugelassen sein. Die folgenden Browser werden empfohlen:

  • Chrome ab Version 37

  • Firefox ab Version 38

  • Internet Explorer ab Version 11

  • Safari und Safari Mobile ab Version 9

Auf älteren Browsern können Darstellungs- oder Performanceprobleme auftreten.

§Kapitel 6. Changelog

Die Changelogs mit den detaillierten Änderungsinformationen werden nur in Englisch gepflegt. Aufgeführt sind die Änderungen seit UCS 4.1-4:

§6.1. General

§6.2. Basic system services

§6.2.1. Univention Configuration Registry

  • The functionality to manage services has been changed to ignore processes running in a Docker container (Bug 40659).

§6.3. Domain services

§6.3.1. OpenLDAP

  • OpenLDAP has been re-built to make it Multi-Arch-aware (Bug 41558).

§6.4. Univention Management Console

§6.4.1. Univention Management Console web interface

  • Some help dialogs in the UMC where not displayed correctly. This has been fixed (Bug 43084).
  • The maximum request size can now be configured via the Univention Configuration Registry variable umc/http/max_request_body_size (Bug 42357).
  • The login dialog after a session timeout is now centered on the view-port and not at the top of the page. Making the login immediately possible without the need to scroll to the top (Bug 40492).
  • The UMC overview page shows a banner that links to the Univention Summit website (Bug 42979).
  • Erroneous pop-ups when clicking a non UMC module link on the overview page are no longer generated (Bug 42980).

§6.4.2. Univention App Center

  • The App Center now uses a different directory for special temporary files for Docker Apps to avoid problems with the sysvinit's tmp cleanup (Bug 44387).
  • Notifications about App updates of Docker Apps were not sent. This has been corrected (Bug 44148).
  • When an App sets it HTTP port to 0, disable the HTTP link for the App Center link and for the ucs-overview link (Bug 43657).
  • A bug in detecting apps on domain hosts has been fixed (Bug 41801).
  • Docker Apps now support UDP ports to be opened (Bug 43108).
  • In case the App Center runs in container mode, join scripts etc. are not copied to the system (Bug 42934).
  • The backend now correctly determines whether an App is a UCS component (Bug 43363).
  • Container passwords aren't changed anymore during container upgrades (Bug 45290).
  • A script can now be run after configuring an App (Bug 43838).
  • AdditionalPackages defined by the App are no longer removed when uninstalling an app (Bug 44772).
  • The documentation has been extended (Bug 42761).
  • Added the command univention-app dev-set to support development tools (Bug 43040).
  • For developers, reverting a local App Center does remove the App Center directories completely (Bug 43074).
  • When upgrading from a Non-Docker version to a Docker version, the old version was removed even the installation process of the new version was not successful (Bug 42969).
  • The ini attribute License is now passed to the frontend (Bug 42798).
  • Hiding dockerized versions of installed Apps did not work when upgrading from UCS 4.0 (Bug 43075).
  • Adjust code so that other projects may extend the App Center lib (Bug 42834).
  • Start App container with the hosts proxy settings by default (Bug 44785).
  • If the download of App meta data via zsync fails, the archive is downloaded via an HTTPS request (Bug 45291).
  • Fixed the utility function for creating LDAP objects not honoring existing objects (Bug 42928).
  • When trying to upgrade to a Docker version of a formerly Non-Docker App, a link to a migration guide is shown if available (Bug 43038).
  • Admin credentials are now passed to a preinst script during App installation / upgrade (Bug 44655).
  • App Logos are linked to the UMC front-end immediately after the initial System setup (Bug 45748).

§6.4.3. Univention Directory Manager UMC modules and command line interface

  • The Python API for UDM modules finds the superordinate object automatically if it is not given (Bug 43423).
  • An error was fixed that prevented syntax classes which were set via Univention Configuration Registry to be used with a ComboBox widget (Bug 43094).
  • If a user template defined a default value for mailHomeServer, the value has not been set. This has been fixed (Bug 42903).
  • UDM objects with the object flags synced and docker can now be deleted (Bug 44954).
  • Add missing dependency python-univention-license to fix error when using the univention.admin.license Python module (Bug 43298).
  • Removing objects which don't have sub-elements is now possible even if the LDAP admin size limit is reached (Bug 43236).
  • Objects underneath containers of superordinate entries like DHCP services are shown again in the tree view (Bug 43048).
  • Fixed a regression in UCS 4.1-3 Erratum 319 which caused failures in the Asterisk4UCS App module (Bug 43423).

§6.4.4. Modules for system settings / setup wizard

  • DNS settings are updated correctly when using app appliances (Bug 42944).
  • The screen-saver is now deactivated while configuring the system (Bug 42944).
  • Install univention-welcome-screen earlier in the setup process (Bug 42915).

§6.4.5. Univention Directory Reports

  • The Univention Directory Reports created via the UMC are now access protected (Bug 45680).

§6.4.6. License module

  • A fallback to the machine account has been added to univention_license_ldap_init() (Bug 35157).

§6.4.7. Software update module

  • The updater message for UCS releases that receive extended maintenance was clarified (Bug 45671).

§6.4.8. Policies

  • LDAP connections are now always TLS encrypted (Bug 43031).

§6.5. Software deployment

  • The Updater has been adapted for UCS 4.1-5 (Bug 45648).
  • The user-agent string has been extended with statistics (Bug 43107).

§6.6. System services

§6.6.1. Mail services

  • The package dependencies allow now to install Dovecot Pro instead of Dovecot from the Debian repositories (Bug 44567).
  • LDAP queries are now escaped correctly, when checking access for a restricted mailing list (Bug 41055).

§6.6.2. SSL

  • The local system SSL certificates are correctly regenerated during system join (Bug 44322).
  • The command sign has been added to univention-certificate to allow creating certificates for external Certificate Signing Requests (Bug 22085).
  • The local system SSL certificates are correctly regenerated when refreshing certificates (Bug 44322).

§6.6.3. Proxy services

  • The Squid proxy server now uses STARTTLS to encrypt all LDAP connections (Bug #43675) (Bug 43675).
  • Univention Configuration Registry variables squid/cache/format, squid/cache/directory, squid/cache/size, squid/cache/l1_size, squid/cache/l2_size to configure the cache settings have been added (Bug 37381).

§6.6.4. Apache

  • Exceptions for the apache2/force_https configuration can now be configured via Univention Configuration Registry. When apache2/force_https is enabled, by default localhost will be excluded (Bug 43603).

§6.7. Virtualization

§6.7.1. Univention Virtual Machine Manager (UVMM)

  • In some cases during live migration the KVM clock is not monotone, which leads to the virtual machine being stuck until the clock has caught up again. This has been fixed (Bug 45117).

§6.8. Container Technologies

  • Allow release update in container mode even if the UCS master's version is lower (Bug 42923).
  • Install package updates when updating the app in container mode (Bug 43177).
  • Restoring Univention Configuration Registry in container mode after an image exchange has been fixed (Bug 43324).

§6.9. Services for Windows

§6.9.1. Samba

  • The Univention Configuration Registry variables samba/client/min/protocol, samba/min/protocol and samba/client/max/protocol have been added. Please be aware that raising samba/min/protocol e.g. to SMB2 also requires raising samba/client/max/protocol to that value or higher (Bug 44646).
  • Samba 4.5 creates an DNS object _msdcs below the position CN=MicrosoftDNS,CN=System. If CN=System is still used by BIND9, the DRS replication will be stopped. This can only happen if Samba 4 was installed before UCS 4.0-4 and a Samba 4 system is installed or rejoined. This update removes the created DNS object and prevented its recreation (Bug 43288).

§6.9.2. Univention S4 Connector

  • A race condition between writing and reading cached data has been fixed (Bug 43235).
  • The mapping for LDAP attributes of DNS objects is now case insensitive (Bug 43259).
  • The synchronization of DNS zones now also works in special setups, where samba4/ldap/base differs from ldap/base (Bug 42393).
  • When adjusting a GPO security filter via Group Policy Management Console repeatedly in a short time, the S4-Connector could revert changes, depending on timing. Now the S4-Connector checks if a change has happened in Samba/AD since the last sync and avoids overwriting the attribute nTSecurityDescriptor in that case (Bug 41571).
  • The init-script has been fixed to check for an already running instance of the S4 connector. The PID file is removed on shutdown. The status action has been added, too (Bug 40659).
  • An issue with renaming windows clients has been fixed (Bug 43321).
  • Rejects for DNs containing non-ASCII characters could not be saved, because python-sqlite3 doesn't accept UTF-8, causing rejects not to be visible but keeping the S4-Connector retrying endlessly, flooding the logs with rejects (Bug 44291).
  • Fix handling of Printer-Admins and searching for conflicting deleted objects by objectsid (Bug 44289).
  • Added new Univention Configuration Registry variables connector/s4/mapping/{gpo,wmifilter,msprintconnectionpolicy}/syncmode (Bug 43629).
  • UCS@school specific settings have been moved into the join script (Bug 45329).
  • Sync client initiated renaming of Windows machine accounts from Samba/AD to OpenLDAP (Bug 37388).
  • DNs of Windows clients joined from the client itself where not in sync with the corresponding OpenLDAP DNs (Bug 40435).

§6.9.3. Univention Active Directory Connection

  • The AD-Connector can now handle sync_mode configuration on a per attribute granularity (Bug 42618).
  • The LDAP modification list can now be logged in case of a trace-back if the changes are synchronized from UCS to Active Directory (Bug 29988).
  • The samAccountName synchronization for Windows clients has been set to write only because a changed samAccountName attribute in Active Directory is handled via the CN synchronization (Bug 43229).
  • The lookup for the LDAP base DN of the Active Directory server has been fixed (Bug 40816).
  • The mapping for the MS-Exchange related attribute proxyAddresses has been revised to synchronize the OpenLDAP attribute mailPrimaryAddress with the default value configured in proxyAddresses (Bug 43216). In detail:

    1. When reading from Active Directory, the value with SMTP: prefix is now written to the OpenLDAP attribute mailPrimaryAddress. Before this update mailPrimaryAddress used to be synchronized with the value of the Active Directory mail attribute instead. The Active Directory mail attribute has informative character.
    2. In the other direction, i.e. writing from OpenLDAP to Active Directory, the value of mailPrimaryAddress continues to be written to the mail attribute and now additionally gets written into the proxyAddresses as default value, i.e. prefixed with SMTP:.
    3. smtp: prefixed values in proxyAddresses continue to be synchronized with OpenLDAP mailAlternativeAddress
  • A race condition between writing and reading cached data has been fixed (Bug 42507).

§6.10. Other changes

  • Add missing INIT INFO headers in various packages to help the update to UCS 4.2 (Bug 45109, ).
  • New leap second 2016-12-31 23:59:60 UTC as per IERS Bulletin C 52 in tzdata (Bug 42877).
  • The root SSL certificate used for the UCS domain is now registered as a trusted root certificate for all applications using /etc/ssl/certs/ (Bug 39179).
  • Joining a UCS system into a domain now works for hostnames, where the corresponding host LDAP entry was created using a different casing (Bug 39068).
  • Redirect warning messages to join.log in univention-join (Bug 43381).
  • The syslog configuration has been extended to allow logging to remote hosts. Several protocols are supported:

    UDP
    fast, but messages can get lost or get dropped in congested networks.
    TCP
    more reliable, but can block the sending syslog daemon.
    RELP
    reliable, but non standard; can also block the syslog daemon.

    Sending must be enabled explicitly. For this the new Univention Configuration Registry variables syslog/remote, syslog/remote/fallback and syslog/remote/selector have been added. Receiving must also be enabled explicitly. For this the new Univention Configuration Registry variables syslog/input/udp, syslog/input/tdp and syslog/input/relp have been added. Please note, that log messages are sent unencrypted and in clear text! It is recommended to use this only in protected networks, as passwords and other sensitive data might leak otherwise (Bug 15728).

  • The configuration for logrotate has been extended to allow a file-by-file configuration through the Univention Configuration Registry variables logrotate/$facility/.... All remaining files are handled by logroate/syslog-other/... (Bug 41816).
  • Several new Univention Configuration Registry variables syslog/... have been added to enable/disable logging of events of certain facilities to the corresponding targets:

    syslog/auth
    /var/log/auth.log
    syslog/cron
    /var/log/cron.log
    syslog/kern
    /var/log/kern.log
    syslog/daemon
    /var/log/daemon.log
    syslog/user
    /var/log/user.log
    syslog/lpr
    /var/log/lpr.log
    syslog/mail
    /var/log/mail.*
    syslog/news
    /var/log/news.*
    syslog/syslog
    /var/log/syslog (catch-all for all messages)
    syslog/debug
    /var/log/debug (only debug messages)
    syslog/messages
    /var/log/messages (all except debug and errors)
    syslog/xconsole
    /dev/xconsole (used by graphical console)

    The new Univention Configuration Registry variable syslog/syslog/avoid_duplicate_messages can be used to remove messages logged to other targets from /var/log/syslog. By default messages get logged multiple times. Further more the selector for certain files can now be customized through the following new Univention Configuration Registry variables: (Bug 41815).

    syslog/syslog/selector
    [*.*]
    syslog/debug/selector
    [*.=debug;auth,authpriv,news,mail.none]
    syslog/messages/selector
    [*.=info-warn;auth;authpriv;cron;daemon;mail;news.none]
    syslog/xconsole/selector
    [daemon,mail.*;news.err;*.debug-warn]