UCS 4.2 Release Notes

Release Notes für die Inbetriebnahme und Aktualisierung von Univention Corporate Server (UCS) 4.2


Inhaltsverzeichnis

1. Release-Highlights
2. Hinweise zum Update
2.1. Empfohlene Update-Reihenfolge
2.2. UCS-Installations-DVDs nur noch als 64-Bit-Variante
3. Vorbereitung des Updates
4. Nachbereitung des Updates
5. Hinweise zum Einsatz einzelner Pakete
5.1. QEMU Angelegenheiten
5.2. Erfassung von Nutzungsstatistiken
5.3. Umfang des Sicherheits-Supports von WebKit, Konqueror und QtWebKit
5.4. Empfohlene Browser für den Zugriff auf Univention Management Console
6. Changelog
6.1. General
6.2. Univention Installer
6.3. Basic system services
6.3.1. Linux kernel and firmware packages
6.3.2. Univention Configuration Registry
6.3.2.1. Changes to templates and modules
6.3.3. Other system services
6.4. Domain services
6.4.1. OpenLDAP
6.4.1.1. LDAP ACL changes
6.4.1.2. Listener/Notifier domain replication
6.4.1.3. DNS server
6.4.1.4. DHCP server
6.5. Univention Management Console
6.5.1. Univention Management Console web interface
6.5.2. Univention Management Console server
6.5.3. Univention App Center
6.5.4. Univention Directory Manager UMC modules and command line interface
6.5.5. Modules for system settings / setup wizard
6.5.6. Software update module
6.5.7. Domain join module
6.5.8. Users module
6.5.9. DNS module
6.5.10. DHCP module
6.5.11. Policies
6.5.12. Filesystem quota module
6.6. Software deployment
6.7. Univention base libraries
6.8. System services
6.8.1. SAML
6.8.2. Univention self service
6.8.3. Kerberos
6.8.4. SSL
6.8.5. Proxy services
6.8.6. Apache
6.8.7. PAM / Local group cache
6.8.8. Other services
6.9. Virtualization
6.9.1. Univention Virtual Machine Manager (UVMM)
6.10. Container Technologies
6.11. Services for Windows
6.11.1. Samba
6.11.2. Univention S4 Connector
6.12. Other changes

§Kapitel 1. Release-Highlights

Mit Univention Corporate Server 4.2 steht das zweite Minor Release für Univention Corporate Server (UCS) zur Verfügung. Es umfasst eine Reihe umfangreicher Funktionserweiterungen und Verbesserungen, neue Eigenschaften sowie diverse Detailverbesserungen und Fehlerkorrekturen. Die wichtigsten Änderungen im Überblick:

  • UCS 4.2 basiert auf Debian GNU/Linux 8 (Jessie). Mehr als 16.000 Source Pakete wurden aktualisiert und an die Bedürfnisse der UCS-Administratoren angepasst. Einige Kernkomponenten, wie der Linux Kernel (4.9), Docker (1.12) oder QEMU (2.8) sind in UCS 4.2 aktueller als in Debian GNU/Linux 8. Als Standard-Init-System wird nun systemd verwendet.

  • Das Managementsystem bietet ab UCS 4.2 ein zentrales Portal für einen schnellen Zugriff auf alle Anwendungen der Umgebung, sowie die Verwaltung der unterschiedlichen UCS-Systeme. Damit können Nutzer einfacher auf freigeschaltete Anwendungen zugreifen. Das Portal ist konfigurierbar und kann auf die individuellen Bedürfnisse zugeschnitten werden.

  • Das Design und die Benutzerführung wurde mit UCS 4.2 weiter verbessert. So bietet bspw. der Passwort Self Service eine vereinfachte Nutzung. Das Managementsystem verwendet nun per Default SAML (Web Single Sign-on), sofern die Voraussetzungen, wie eine funktionierende Namensauflösung, gegeben sind.

  • Samba wurde auf Version 4.6.1 aktualisiert. Dies umfasst diverse Verbesserungen, u.a. im Bereich der DRS-Replikation, allgemein der Active Directory Kompatibilität und der Datei- und Druckdienste. Zusätzlich ist die Performance in Umgebungen mit vielen Anwendern verbessert worden.

§Kapitel 2. Hinweise zum Update

Während der Aktualisierung kann es zu temporären Ausfällen von Diensten innerhalb der Domäne kommen. Aus diesem Grund sollte das Update innerhalb eines Wartungsfensters erfolgen. Grundsätzlich wird empfohlen, das Update zunächst in einer Testumgebung einzuspielen und zu testen. Die Testumgebung sollte dabei identisch zur Produktivumgebung sein. Je nach Systemgeschwindigkeit, Netzwerkanbindung und installierter Software kann das Update zwischen 20 Minuten und mehreren Stunden dauern.

§2.1. Empfohlene Update-Reihenfolge

In Umgebungen mit mehr als einem UCS-System muss die Update-Reihenfolge der UCS-Systeme beachtet werden:

Auf dem Domänencontroller Master wird die maßgebliche (authoritative) Version des LDAP-Verzeichnisdienstes vorgehalten, die an alle übrigen LDAP-Server der UCS-Domäne repliziert wird. Da bei Release-Updates Veränderungen an den LDAP-Schemata auftreten können, muss der Domänencontroller Master bei einem Release-Update immer als erstes System aktualisiert werden.

§2.2. UCS-Installations-DVDs nur noch als 64-Bit-Variante

UCS-Installations-DVDs werden ab UCS 4 nur noch für 64-Bit-Architekturen bereitgestellt. Vorhandene 32-Bit UCS 3 Systeme können weiterhin über das Online Repository oder über Update DVDs auf UCS 4 aktualisiert werden. Die 32-Bit-Architektur wird für die gesamte UCS 4 Maintenance noch unterstützt.

§Kapitel 3. Vorbereitung des Updates

Es sollte geprüft werden, ob ausreichend Festplattenplatz verfügbar ist. Eine Standard-Installation benötigt min. 6 GB Speicherplatz. Das Update benötigt je nach Umfang der vorhanden Installation ungefähr 2 GB weiteren Speicherplatz zum Herunterladen und Installieren der Pakete.

Für das Update sollte eine Anmeldung auf der lokalen Konsole des Systems mit dem Benutzer root durchgeführt und das Update dort gestartet werden. Alternativ kann das Update über Univention Management Console durchgeführt werden.

Eine Remote-Aktualisierung über SSH wird nicht empfohlen, da dies beispielsweise bei Unterbrechung der Netzverbindung zum Abbruch des Update-Vorgangs und zu einer Beeinträchtigung des Systems führen kann. Sollte dennoch eine Aktualisierung über eine Netzverbindung durchgeführt werden, ist sicherzustellen, dass das Update bei Unterbrechung der Netzverbindung trotzdem weiterläuft. Hierfür können beispielsweise die Tools screen oder at eingesetzt werden, die auf allen UCS Systemrollen installiert sind.

§Kapitel 4. Nachbereitung des Updates

Nach dem Update müssen die neuen oder aktualisierten Join-Skripte ausgeführt werden. Dies kann auf zwei Wegen erfolgen: Entweder über das UMC-Modul Domänenbeitritt oder durch Aufruf des Befehls univention-run-join-scripts als Benutzer root.

Die Pakete univention-log-collector-server und univention-log-collector-client werden nicht länger gepflegt. Sofern diese Pakete installiert sind, sollten diese entfernt werden.

In Univention Corporate Server 4.2 verbietet der OpenLDAP Server standardmäßig den LDAP bind falls Passwörter oder Accounts abgelaufen sind. Auf aktualisierten Systemen ist diese nicht aktiviert, kann aber durch das Setzen der Univention Configuration Registry-Variable ldap/shadowbind auf true aktiviert werden.

Während des Updates werden die Univention Configuration Registry Einstellungen nameserver* und dns/forwarder* überprüft und automatisch korrigiert, um sicherzustellen, dass die nameserver* Variablen nur auf DNS Server verweisen, die die UCS-Domäne auflösen können. Die automatisierte Korrektur geschieht einmalig durch Aufruf von /usr/share/univention-server/univention-fix-ucr-dns. Wir empfehlen die Werte dieser Univention Configuration Registry-Variablen zu prüfen.

Anschließend muss das UCS-System neu gestartet werden.

§Kapitel 5. Hinweise zum Einsatz einzelner Pakete

§5.1. QEMU Angelegenheiten

Für UCS-4.2 wurde die Version von qemu von Version 1.1 auf Version 2.8 aktualisiert. Dies führt derzeit zu Problemen mit

  • der Live-Migration von alten zu neuen Versionen von QEMU.
  • dem Wiederherstellen von Snapshots von laufenden virtuellen Maschinen, die mit einer alten Versionen von QEMU erstellt wurden.
  • dem Wiederherstellen des Zustands einer laufenden virtuellen Maschine, die noch mit einer alten Version von QEMU in den Zustand suspended to disk versetzt wurde.

Univention arbeitet an einer Lösung und verweist bis dahin auf den Artikel SDB 1384 für temporäre Lösungsmöglichkeiten.

§5.2. Erfassung von Nutzungsstatistiken

Bei Verwendung der UCS Core Edition (die in der Regel für Evaluationen von UCS herangezogen wird) werden anonyme Nutzungsstatistiken zur Verwendung von Univention Management Console erzeugt. Die aufgerufenen Module werden dabei von einer Instanz des Web-Traffic-Analyse-Tools Piwik protokolliert. Dies ermöglicht es Univention die Entwicklung von Univention Management Console besser auf das Kundeninteresse zuzuschneiden und Usability-Verbesserungen vorzunehmen.

Diese Protokollierung erfolgt nur bei Verwendung der UCS Core Edition. Der Lizenzstatus kann überprüft werden durch den Eintrag Lizenz -> Lizenzinformation des Benutzermenüs in der rechten, oberen Ecke von Univention Management Console. Steht hier unter Lizenztyp der Eintrag UCS Core Edition wird eine solche Edition verwendet. Bei Einsatz einer regulären UCS-Lizenz erfolgt keine Teilnahme an der Nutzungsstatistik.

Die Protokollierung kann unabhängig von der verwendeten Lizenz durch Setzen der Univention Configuration Registry-Variable umc/web/piwik auf false deaktiviert werden.

§5.3. Umfang des Sicherheits-Supports von WebKit, Konqueror und QtWebKit

WebKit, Konqueror und QtWebKit werden in UCS im maintained-Zweig des Repositorys mitgeliefert, aber nicht durch Sicherheits-Updates unterstützt. WebKit wird vor allem für die Darstellung von HTML-Hilfeseiten u.ä. verwendet. Als Web-Browser sollte Firefox eingesetzt werden.

§5.4. Empfohlene Browser für den Zugriff auf Univention Management Console

Univention Management Console verwendet für die Darstellung der Web-Oberfläche zahlreiche JavaScript- und CSS-Funktionen. Cookies müssen im Browser zugelassen sein. Die folgenden Browser werden empfohlen:

  • Chrome ab Version 37

  • Firefox ab Version 38

  • Internet Explorer ab Version 11

  • Safari und Safari Mobile ab Version 9

Auf älteren Browsern können Darstellungs- oder Performanceprobleme auftreten.

§Kapitel 6. Changelog

Die Changelogs mit den detaillierten Änderungsinformationen werden nur in Englisch gepflegt. Aufgeführt sind die Änderungen seit UCS 4.1-4 errata408:

§6.1. General

  • The Debian basis has been updated from Debian 7 (Wheezy) to Debian 8 (Jessie) (Bug 43560, Bug 41930, Bug 41929, Bug 44146). This means, among other things, the following upgrades:

    • Apache has been updated to 2.4.10.
    • The BIND DNS server has been updated to 9.9.5.
    • OpenSSH has been updated to 6.7.
    • Perl has been updated to 5.20.2.
    • PHP has been updated to 5.6.30.
    • Postfix has been updated to 2.11.3.
    • UCS ships with systemd-sysv as default init system. This package is installed automatically on upgrades. All UCS init shell scripts have been made LSB compliant to be compatible with systemd. If custom init scripts are used or standard UCS init scrips haven been modified, please be aware that these may now have been superseded by systemd unit files or systemd itself (Bug 43330).
  • The codename for UCS 4.2 has been set to Lesum (Bug 42054).

§6.2. Univention Installer

  • The installer now supports POSIX shared memory objects for non-privileged processes during the installation in the chroot (Bug 43915).

§6.3. Basic system services

§6.3.1. Linux kernel and firmware packages

  • The Linux kernel has been updated to 4.9.13 (Bug 42048, Bug 42047).
  • The kernel modules openafs-modules-dkms, blktap-dkms, virtualbox-dkms, virtualbox-guest-dkms, open-vm-tools-dkms, backfire-dkms and oss4-dkms have been updated to be compatible with the new Linux kernel 4.9. The modules iscsitarget-dkms and xtables-addons-dkms are no longer supported Bug 42049.

§6.3.2. Univention Configuration Registry

  • The maximum transfer unit (MTU) for network interfaces can now be configured through the new Univention Configuration Registry variable interfaces/interface/mtu (Bug 35814).
  • The functions remove_ucr_template and remove_ucr_info_file from the shell library ucr.sh have been deprecated. The library itself was moved into the package univention-config (Bug 27872).
  • ucr update is now automatically called when Univention Configuration Registry template files are added/modified/removed (Bug 23737).
  • Univention Configuration Registry now loads its data atomically to fix a problem when multiple threads access the database concurrently (Bug 37402).
  • The robustness of the services module has been improved to better handle process changes (Bug 34234).
  • An internal fallback implementation for pipes.quote() was added to fix an upgrade issue while python is not configured (Bug 43341).
  • The Python implementation has been changed to follow the Python contract for dictionaries, except one exception: The method get() still returns None instead of raising the exception KeyError when the key is not found, as this is still required to be compatible with previous releases (Bug 33101).

§6.3.2.1. Changes to templates and modules

  • The */autostart Univention Configuration Registry variables are now handled by a generic Univention Configuration Registry module. The variables are still used in the individual init-scripts for backward compatibility with the classic System V init system, but are shadowed by the corresponding systemd mechanisms to enable/disable and mask/unmask services (Bug 43470).

§6.3.3. Other system services

  • Several network start scripts have been adapted to work with systemd (Bug 42380).

§6.4. Domain services

§6.4.1. OpenLDAP

  • The overlay module shadowbind has been added. This module checks shadowExpire and shadowMax/shadowLastChange of the bind DN object and denies the login if the account or the password is expired. The overlay can be enabled/disabled with the Univention Configuration Registry variable ldap/shadowbind. An ignore LDAP filter (shadowbind does not check account/password expiry if the bind DN object matches this filter) can be configured with the Univention Configuration Registry variable ldap/shadowbind/ignorefilter (Bug 36215).
  • If the slapd is already running when trying to start, the init-script does not signal failure anymore. A 5 second delay when starting slapd was removed (Bug 43450).

§6.4.1.1. LDAP ACL changes

  • The slapd configuration option add_content_acl has been turned on (Bug 41797).
  • The overlay module constraint has been enabled. Security restrictions for the attributes uidNumber and gidNumber have been added. The value "0" is no longer valid for these attributes (Bug 43312).

§6.4.1.2. Listener/Notifier domain replication

  • The Listener daemon is now compiled with hardening options and return code checks have been improved (Bug 26039).
  • Kerberos support was removed from the Listener (Bug 42678).
  • The Listener cache backend has been converted to LMDB (Bug 23367).

§6.4.1.3. DNS server

  • The timeout and retry handling of the BIND9 LDAP database plugin has been improved (Bug 42389).
  • During the update of DNS servers having univention-bind installed the Univention Configuration Registry settings nameserver123 and dns/forwarder123 are checked and fixed automatically. This is done by running /usr/share/univention-server/univention-fix-ucr-dns once (Bug 43217, Bug 44208).
  • The legacy System V init scripts univention-bind and univention-bind-proxy have been removed. The services are now handled through the System V init script bind9 and the systemd service unit file bind9.service (Bug 43690).

§6.4.1.4. DHCP server

  • Quoting of the server name has been added (Bug 42240).

§6.5. Univention Management Console

§6.5.1. Univention Management Console web interface

  • The general design of the web interface has been improved. Several aspects of the design are borrowed from the Google Material Design guidelines. All Univention web interfaces reside now below /univention, e.g., Univention Management Console has moved from /univention-management-console to /univention (Bug 42261, Bug 42228, Bug 42264, Bug 43451, Bug 42266, Bug 43528, Bug 44007, Bug 44059, Bug 43531).
  • A central portal site has been added to UCS. It allows to have a central site which shows all installed Apps in a UCS domain. Furthermore, the portal page can be configured and customized (Bug 42233, Bug 42175, Bug 42231, Bug 43495, Bug 43670, Bug 43887, Bug 43932, Bug 43933, Bug 42235, Bug 43928, Bug 44018, Bug 44048, Bug 44070).
  • A server overview site has been added to UCS. It allows to search for and navigate to particular server instances in the UCS domain (Bug 43595, Bug 43680).
  • JavaScript and CSS code has been moved from Univention Management Console into a generic and separate web library that can be used by other web applications, as well (Bug 38824).
  • Global menu entries can now be defined via JavaScript hook modules. A JavaScript hook module needs to be placed as module in the JavaScript directory umc/hook and it needs to be defined via the Univention Configuration Registry variable umc/web/hooks/<packageName>=<javaScriptModule> (Bug 42263).
  • Improved internationalization for JavaScript files in UMC (Bug 42293).
  • The correct service name is shown when the start behavior is configured through the Univention Configuration Registry variable umc/http/autostart (Bug 42340).
  • Various security improvements have been done to guard against Cross Site Request Forgery (XSRF), Cross Site Scripting (XSS) and Clickjacking attacks. The HTTP response header X-Frame-Options, Content-Security-Policy, X-Content-Type-Options, X-XSS-Protection and X-Permitted-Cross-Domain-Policies are now set by default (Bug 39733, Bug 39731).
  • A menu entry for changing the language has been added (Bug 40612).
  • A menu entry for downloading the root certificate and certificate revocation list has been added (Bug 43695).
  • In certain situations it was possible that the translations were mixed. This has been fixed (Bug 38370).
  • Traceback reports do not require an authenticated session anymore and can be sent anonymously (Bug 42169).
  • Plural forms for translations are now supported in the JavaScript code (Bug 42220).
  • The JavaScript libraries dojo (1.12.1), xstyle (3.2.0) and dgrid (1.1.0) have been updated (Bug 42291).
  • Data grids now have a dynamic height depending on the number of items in it, instead of a fixed height. (Bug 32027, Bug 43630).
  • The design of the login dialog has been restructured and moved into a single login page. By default the login to Univention Management Console now uses the SAML Single Sign On login mechanism. The session timeout has been increased to 8 hours of inactivity (Bug 42174, Bug 43918).
  • The French translation has been updated w.r.t. the new structure of the web packages (Bug 43462).

§6.5.2. Univention Management Console server

  • The correct service name is shown when the start behavior is configured through the Univention Configuration Registry variable umc/server/autostart (Bug 42339).
  • A crash in the UMC server has been fixed which could occur during connecting to module processes under heavy load (Bug 43713).
  • UMC modules are able to serve requests for unauthenticated client now (Bug 42114).

§6.5.3. Univention App Center

  • Docker Apps now send notifications after an App update. This fix was cherry picked from an an upcoming 4.1-4 update (Bug 44148).
  • More characters in the version of an App are allowed (Bug 41905).
  • The version comparison for supported UCS Version has been fixed so that it does not fail on testing minor versions that are lower than the current version (Bug 43901).
  • Adjustments have been made to work with the new Docker version or other software components (Bug 43338, Bug 43607, Bug 43458).
  • The status message in the App details Page has been improved and shows the installed and candidate version (Bug 43905).
  • The App Center can now install certain Docker Apps from other UCS versions (Bug 43496, Bug 43662, Bug 43709).
  • Code cleanup where deprecated functions of Univention Directory Manager were used (Bug 43624).
  • Before UCS 4.2, the Docker init scripts are created as link. Since the new init scripts needs unique identifiers, the init scripts are now copied from a default init script. All existing init scripts are migrated during the upgrade to UCS 4.2 (Bug 43674, Bug 44071).
  • To support systemd based containers, univention-appcenter-docker now asks docker to mount /run and /run/lock as tmpfs in newly created containers and pre-mounts /sys/fs/cgroup. Additionally it uses an adjusted seccomp profile, which allows the system call name_to_handle_at, which avoids granting SYS_ADMIN capabilities to containers (Bug 43455).
  • The command univention-app shell no longer implicitly sets the docker exec options -it. Instead, univention-app shell provides these options as parameters for interactive usage (Bug 44062).

§6.5.4. Univention Directory Manager UMC modules and command line interface

  • The existence of objects is now checked before initializing it (Bug 38110).
  • The syntax class ObjectFlag now accepts the value docker (which is used to mark computer objects that are created specifically for Docker App Containers); the corresponding attribute is now multivalued, making it possible to store more than one flag on an object (Bug 43148).
  • The UDM specific JavaScript widget LinkList has been moved to univention-management-console-module-udm from univention-management-console-frontend (Bug 42321).

§6.5.5. Modules for system settings / setup wizard

  • The setup wizard has been refactored to be a standalone web application (Bug 42172).
  • The package dbus-x11 is installed by default to silence firefox (Bug 36168).
  • The file /etc/localtime no longer is a symbolic link, but contains a copy of the time zone data (Bug 24090).

§6.5.6. Software update module

  • Illegal characters don't cause a crash when viewing the logfile anymore (Bug 41539).
  • During an update, the view is scrolling automatically with the last line of the log file (Bug 43508).

§6.5.7. Domain join module

  • The "execute pending join scripts" button is now grayed out if no unconfigured join scripts exists (Bug 35326).
  • Illegal characters don't cause a crash when viewing the logfile anymore (Bug 41539).

§6.5.8. Users module

  • An alternative tile view has been added to the user list which displays the users' profile pictures (Bug 42229, Bug 43868).
  • Templates used when creating new users now work for all properties regardless (Bug 43428).
  • The layout of user templates has been synchronized with the layout of the users modules (Bug 42765).
  • Some broken mappings of user templates have been fixed (Bug 29672).

§6.5.9. DNS module

  • The help and example for the DNS reverse zone subnet property has been improved (Bug 34131).
  • The description for the negative time-to-live property has been corrected (Bug 33165).
  • Long descriptions have been added to all DNS module properties (Bug 42820).
  • DNS names are now checked for validity according to RFC 2181. PTR entries are now shown in forward notation as IP addresses and can be searched for (Bug 25354).

§6.5.10. DHCP module

  • The DHCP modules now validate the input fields better and require a valid IP address or host name to be entered (Bug 33211).
  • Long descriptions have been added to all DHCP module properties (Bug 42820).
  • Listing policies for DHCP host entries now works with multiple DHCP services and for entries with none or multiple IP addresses (Bug 42849).
  • Support for dynamic address assignment using pools for known hosts has been improved Bug 16923.
  • A memory leak has been fixed. A crash during startup if the LDAP server was unreachable has been fixed (Bug 31078).
  • DHCP options and DHCP statements can now be configured via Univention Management Console (Bug 32557).
  • The univention-dhcp package update script has been adjusted to tolerate temporary systemd related service restart failure (Bug 43651).

§6.5.11. Policies

  • The long descriptions of the DHCP server statements policy have been corrected (Bug 34441).

§6.5.12. Filesystem quota module

  • Clicking on an activated partition opens the quota settings for that partition (Bug 43507).

§6.6. Software deployment

  • The updater scripts preup.sh and postup.sh have been adapted to the needs of UCS 4.2 (Bug 42037).
  • The pre-check of the UCS 4.2 upgrade now checks if essential server role packages should be removed during the upgrade. In this case the upgrade process is stopped previously (Bug 39092).
  • The pre-check of the UCS 4.2 upgrade now ensures that all computer objects have valid LDAP object classes (Bug 41868).
  • To avoid errors in the UMC when choosing English as language, the pre-check of the UCS 4.2 upgrade now ensures that en_US is specified as available locale (Bug 44150).
  • The program univention-updater checks now also the locking status if the option --check is used (Bug 43625).

§6.7. Univention base libraries

  • The basic Univention LDAP Python library uldap.py allows now the deletion of the following LDAP attributes: univentionPortalBackground, univentionPortalLogo, univentionPortalEntryIcon and univentionUMCIcon (Bug 44019, Bug 44040).

§6.8. System services

§6.8.1. SAML

  • The package python-pysaml2 3.0.0-5 has been ported back from Debian Stretch (Bug 43547).
  • The package simplesamlphp 1.14.11-1 has been ported back from Debian Stretch (Bug 43783).
  • The Apache configuration has been adjusted (Bug 43708).

§6.8.2. Univention self service

  • The usability of the password self service module has been improved. In addition, the module has been updated to the UCS 4.2 web structure (Bug 42267, Bug 44111).
  • The self service links for the password reset and password change have been consolidated into one portal entry. If a password reset entry should be added to the portal, it can be created through the LDAP browse module (Bug 44102).
  • The self service now communicates directly with the UMC server instead of being proxied through a WSGI process (Bug 42132).

§6.8.3. Kerberos

  • The missing package conflicts between univention-heimdal-kdc and univention-heimdal-member were added (Bug 34258).
  • The Listener scripts for creating Kerberos keys were fixed to no drop root permissions (Bug 43409).
  • The Listener scripts for creating Kerberos keys were updated to use the new location of ktutil and kadmin (Bug 43492).
  • The list of supported encryption types in /etc/krb5.conf has been adjusted to make e.g. nsupdate work with the new Samba version (Bug 43850).

§6.8.4. SSL

  • During univention-system-setup, the certificate for the initially configured undefined-hostname.unassigned-domain is not recreated (Bug 43626, Bug 43983).
  • The root SSL certificate used for the UCS domain is now registered as a trusted root certificate for all applications using /etc/ssl/certs/ (Bug 39179, Bug 43811).

§6.8.5. Proxy services

  • The Squid proxy server was upgraded to version 3.4.8 and its configuration adapted (Bug 43580, Bug 43717, Bug 44210).
  • The Squid proxy server now uses STARTTLS to encrypt all LDAP connections (Bug 43676).
  • For squidguard a fix for the script update-squidguard was ported back from the 1.5-5 release (Bug 43581).

§6.8.6. Apache

  • Apache configuration files in the packages univention-apache, univention-novnc, univention-nagios and univention-system-activation have been adapted to Apache version 2.4 (Bug 42196, Bug 42296).
  • The SSL proxy peer checks for CN and for hostname have been disabled since newer Apache versions check this by default and the Docker container web interfaces are available via localhost (Bug 43813).
  • A robots.txt file has been added to the default server configuration which prevents search engines and similar web services from indexing the content delivered by Apache. During the upgrade to UCS 4.2 any existing robots.txt in /var/www/ will be backed up to robots.txt.orig (Bug 32521).

§6.8.7. PAM / Local group cache

  • The PAM configuration now uses the user_envfile option for reading files from the user home directory (Bug 43287).

§6.8.8. Other services

  • univention-tftp has been updated due to a newer syslinux version, this fixes the path to the pxelinux.0 binary.
  • univention-postgresql has been updated to support the newer postgresql-9.4 by adding a new univention-postgresql-9.4 and changing univention-postgresql to install that on new installations (Bug 43682).
  • univention-appcenter has been updated to support the newer univention-postgresql-9.4 (Bug 43682).
  • univention-printquota has been updated to support the newer univention-postgresql-9.4 (Bug 43682).
  • univention-pkgdb has been updated to support the newer univention-postgresql-9.4 (Bug 43682).
  • univention-bacula has been updated to support the newer univention-postgresql-9.4 (Bug 43682).

§6.9. Virtualization

§6.9.1. Univention Virtual Machine Manager (UVMM)

  • Profiles for UCS 4.2 and Windows Server 2016 have been added (Bug 44067).
  • Error handling has been improved (Bug 38634).
  • The start script for libvirtd has been updates to be compatible with systemd (Bug 43493).
  • libvirtd is no longer started through runit but through systemd (Bug 43875).
  • qemu, libvirt, VirtIO and related packages have been updates to newer versions. Live-migration and snapshots from previous versions might not work in all cases due to large changes in the code base. In such cases it is recommended to cleanly shutdown the virtual machines before the upgrade and to cold-boot the virtual machines after the upgrade (Bug 38877).
  • univention-novnc was adapted, the start of the service is moved to a later point in the installation. (Bug 44067).

§6.10. Container Technologies

  • Docker has been updated to 1.12 (Bug 42282, Bug 43449, Bug 44006).
  • The Univention Configuration Registry variable docker/daemon/default/parameter/.* has been added to configure additional parameter for the Docker daemon (Bug 44033).
  • The parameter live-restore is now used by default (Bug 44033).
  • The Docker daemon is now started through systemd (Bug 44033).

§6.11. Services for Windows

§6.11.1. Samba

  • The Univention Directory Listener is restarted after the Univention Configuration Registry variable samba4/role gets set in the joinscript (Bug 43501).
  • Samba has been updated to version 4.6.1 (Bug 40661, Bug 42045, Bug 43681).
  • univention-samba4 has been adjusted to flush caches during initial install before committing the SYSVOL ACLs (Bug 41319).
  • Samba has been adjusted to avoid problems in case an administrator created a container CN=System somewhere (Bug 31763).
  • The samba4-idmap.py listener module has been improved to initialize the idmap during module resynchronization (Bug 42819).
  • The samba4-idmap.py listener module now flushes the samba gencache at the end of --direct-resync (Bug 41319).
  • univention-samba and univention-samba4 now use the interfaces defined in Univention Configuration Registry (Bug 43073).
  • samba_dnsupdate now avoids adding a _msdcs NS record if the corresponding SOA record is not present (Bug 43291).

§6.11.2. Univention S4 Connector

  • The escaping of LDAP filter expressions in the S4 Connector has been improved (Bug 32086).
  • The generation of filters from Univention Configuration Registry variable connector/s4/mapping/dns/ignorelist has been fixed (Bug 43397).
  • The S4 Connector can now handle large groups if Samba returns ranged results (Bug 41764).

§6.12. Other changes

  • All packages have been updated to no longer depend on deprecated packages and features (Bug 42183).
  • ucslint check for missing quoting in function local variable assignments (Bug 41926).
  • ucslint checks Debian maintainer scripts for wrong comments naming a different maintainer script (Bug 32539).
  • ucslint warns of dependencies on transitional packages (Bug 37203).
  • ucslint checks were added to the build process of some packages (Bug 23837).
  • ucslint skips checking some generated files (Bug 43284).
  • The service portmap was renamed to rpcbind (Bug 36571).
  • The init scripts of all services have been made Linux Standard Base (LSB) compliant to allow insserv to automatically reorder them based on dependencies (Bug 38438). The test for insserv has been remove (Bug 43306).
  • The Univention Configuration Registry variable version/erratalevel gets reset to 0 (Bug 43300).
  • Renaming and moving objects into names containing a comma is now possible (Bug 43332).
  • The generation of the maintenance script to remove obsolete files form a local repository has been fixed: It no longer removes the cryptographic signatures of the updater scripts and dists/ directories required for network installation (Bug 39582). It also uses the correct path to remove obsolete packages (Bug 28048).
  • unbind() methods have been added to the classes univention.uldap and univention.admin.uldap (Bug 37519).
  • The class univention.lib.umc_connection.UMCConnection has been replaced with the new and more flexible class univention.lib.umc.Client (Bug 34498).
  • The following packages have been back-ported and built in order to update to the newer docker version: golang, containerd, golang-1.6, runc, golang-codegangsta-cli, golang-github-coreos-go-systemd, golang-github-docker-go-units, golang-github-opencontainers-specs, golang-github-seccomp-libseccomp-golang, golang-github-vishvananda-netlink, dh-golang, golang-dbus, golang-github-xeipuuv-gojsonschema, golang-testify, golang-github-xeipuuv-gojsonreference, golang-github-xeipuuv-gojsonpointer, golang-github-davecgh-go-spew, golang-github-pmezard-go-difflib, libseccomp, golang-github-vishvananda-netns, golang-objx (Bug 42282).
  • The following packages have been added to the maintained section of the software repository: python-cups, univention-mysql, recode, freetds, xmlrpc-epi, libwebp, uw-imap, firebird2.5 (Bug 42311, Bug 42509, Bug 43481)
  • The package xserver-xorg-input-all does no longer depend on xserver-xorg-input-vmmouse since it is obsolete with the latest kernel changes (Bug 43460).
  • The package python-univention-directory-manager-legacy-ucd-tcs has been removed (Bug 41637).
  • The packages univention-log-collector-server and univention-log-collector-client have been removed from UCS (Bug 41638).
  • During the upgrade to UCS 4.2, it could happen that a restart of the SpamAssassin daemon failed due to old Perl modules. The updated perl package ensures now that the spamassassin package is previously updated (Bug 43534).
  • Some old packages like emacs23 are no longer part of Debian Jessie. Dependencies on such old packages have been updated to their replacements (Bug 43649).
  • Old custom firefox packages have been replaced with the Debian upstream package firefox-esr. During the update to Univention Corporate Server 4.2-0 the old package are automatically replaced (Bug 42322).
  • The time service (TCP port 37) has been disabled and the corresponding UCR variables for the firewall accept rule are not set by default any longer. During update, the UCR variables for the firewall accept rule are unset (Bug 42109).
  • univention-join now uses SNTP for initial time sync (Bug 43987).
  • univention-firewall has been adapted to new iptables rules created by the upgraded docker service (Bug 43707).