UCS 4.4 Release Notes

Release Notes für die Inbetriebnahme und Aktualisierung von Univention Corporate Server (UCS) 4.4-1


Inhaltsverzeichnis

1. Release-Highlights
2. Hinweise zum Update
2.1. Empfohlene Update-Reihenfolge
2.2. UCS-Installations-DVDs nur noch als 64-Bit-Variante
3. Vorbereitung des Updates
4. Nachbereitung des Updates
5. Hinweise zum Einsatz einzelner Pakete
5.1. Univention Directory Notifier
5.2. Erfassung von Nutzungsstatistiken
5.3. Umfang des Sicherheits-Supports von WebKit, Konqueror und QtWebKit
5.4. Empfohlene Browser für den Zugriff auf Univention Management Console
6. Changelog
6.1. General
6.2. Basic system services
6.2.1. Boot Loader
6.3. Domain services
6.3.1. OpenLDAP
6.3.1.1. Listener/Notifier domain replication
6.4. Univention Management Console
6.4.1. Univention Management Console web interface
6.4.2. Univention Portal
6.4.3. Univention Management Console server
6.4.4. Univention App Center
6.4.5. Univention Admin Diary
6.4.6. Univention Directory Manager UMC modules and command line interface
6.4.7. Modules for system settings / setup wizard
6.4.8. Domain join module
6.4.9. Users module
6.4.10. System diagnostic module
6.4.11. Filesystem quota module
6.5. Univention base libraries
6.6. System services
6.6.1. DHCP
6.6.2. DNS
6.6.3. Mail
6.6.4. PAM
6.6.5. SAML
6.6.6. Univention self service
6.6.7. Printing services
6.6.8. Nagios
6.6.9. Kerberos
6.6.10. NFS
6.7. Virtualization
6.7.1. UCS Virtual Machine Manager (UVMM)
6.8. Services for Windows
6.8.1. Samba
6.8.2. Univention S4 Connector
6.8.3. Univention Active Directory Connection
6.9. Other changes

§Kapitel 1. Release-Highlights

Mit Univention Corporate Server 4.4-1 steht das erste Point-Release für Univention Corporate Server (UCS) 4.4 zur Verfügung. Es umfasst Funktionserweiterungen und Verbesserungen, neue Eigenschaften sowie diverse Detailverbesserungen und Fehlerkorrekturen. Die wichtigsten Änderungen im Überblick:

  • Durch die Konfiguration von eigenen Stylesheets kann das Aussehen der Login- und Self Service Webseiten individuell angepasst werden.

  • Es gibt deutliche Performance-Verbesserungen des Directory Managers in Umgebungen mit umfangreichen LDAP-Strukturen.

  • Im App Center gibt ein neues Feature Hinweise auf ergänzende Apps, basierend auf den in der Umgebung bereits installierten Apps.

  • Eine Betaversion der neuen UDM Rest API wurde veröffentlicht.

  • Einige UCS-Pakete wurden für die zukünftige Migration zu Python 3 angepasst.

  • Diverse Security Updates wurden in UCS 4.4-1 integriert, bspw. für Samba, den Linux Kernel und Dovecot. Eine vollständige Liste von Security- und Paketupdates ist in Kapitel 6 zu finden.

§Kapitel 2. Hinweise zum Update

Während der Aktualisierung kann es zu temporären Ausfällen von Diensten innerhalb der Domäne kommen. Aus diesem Grund sollte das Update innerhalb eines Wartungsfensters erfolgen. Grundsätzlich wird empfohlen, das Update zunächst in einer Testumgebung einzuspielen und zu testen. Die Testumgebung sollte dabei identisch zur Produktivumgebung sein. Je nach Systemgeschwindigkeit, Netzwerkanbindung und installierter Software kann das Update zwischen 20 Minuten und mehreren Stunden dauern.

§2.1. Empfohlene Update-Reihenfolge

In Umgebungen mit mehr als einem UCS-System muss die Update-Reihenfolge der UCS-Systeme beachtet werden:

Auf dem Domänencontroller Master wird die maßgebliche (authoritative) Version des LDAP-Verzeichnisdienstes vorgehalten, die an alle übrigen LDAP-Server der UCS-Domäne repliziert wird. Da bei Release-Updates Veränderungen an den LDAP-Schemata auftreten können, muss der Domänencontroller Master bei einem Release-Update immer als erstes System aktualisiert werden.

§2.2. UCS-Installations-DVDs nur noch als 64-Bit-Variante

UCS-Installations-DVDs werden ab UCS 4 nur noch für 64-Bit-Architekturen bereitgestellt. Vorhandene 32-Bit UCS 3 Systeme können weiterhin über das Online Repository oder über Update DVDs auf UCS 4 aktualisiert werden. Die 32-Bit-Architektur wird für die gesamte UCS 4 Maintenance noch unterstützt.

§Kapitel 3. Vorbereitung des Updates

Es sollte geprüft werden, ob ausreichend Festplattenplatz verfügbar ist. Eine Standard-Installation benötigt min. 10 GB Speicherplatz. Das Update benötigt je nach Umfang der vorhanden Installation ungefähr 4 GB zusätzlichen Speicherplatz zum Herunterladen und Installieren der Pakete.

Für das Update sollte eine Anmeldung auf der lokalen Konsole des Systems mit dem Benutzer root durchgeführt und das Update dort gestartet werden. Alternativ kann das Update über Univention Management Console durchgeführt werden.

Eine Remote-Aktualisierung über SSH wird nicht empfohlen, da dies beispielsweise bei Unterbrechung der Netzverbindung zum Abbruch des Update-Vorgangs und zu einer Beeinträchtigung des Systems führen kann. Sollte dennoch eine Aktualisierung über eine Netzverbindung durchgeführt werden, ist sicherzustellen, dass das Update bei Unterbrechung der Netzverbindung trotzdem weiterläuft. Hierfür können beispielsweise die Tools screen oder at eingesetzt werden, die auf allen UCS Systemrollen installiert sind.

Univention bietet ein Skript an, mit dem Probleme, die das Update des UCS Systems verhindern würden, schon vor dem Update erkannt werden können. Dieses Skript kann vor dem Update manuell auf das System geladen und ausgeführt werden:

# download
curl -OOs http://updates.software-univention.de/download/univention-update-checks/pre-update-checks-4.4{,.gpg}

# run script
gpgv --keyring /usr/share/keyrings/univention-archive-key-ucs-4x.gpg pre-update-checks-4.4.gpg \
        pre-update-checks-4.4 && bash pre-update-checks-4.4

...

Starting pre-update checks ...

Checking app_appliance ...                        OK
Checking block_update_of_NT_DC ...                OK
Checking cyrus_integration ...                    OK
Checking disk_space ...                           OK
Checking hold_packages ...                        OK
Checking ldap_connection ...                      OK
Checking ldap_schema ...                          OK
...

§Kapitel 4. Nachbereitung des Updates

Nach dem Update müssen die neuen oder aktualisierten Join-Skripte ausgeführt werden. Dies kann auf zwei Wegen erfolgen: Entweder über das UMC-Modul Domänenbeitritt oder durch Aufruf des Befehls univention-run-join-scripts als Benutzer root.

Anschließend muss das UCS-System neu gestartet werden.

§Kapitel 5. Hinweise zum Einsatz einzelner Pakete

§5.1. Univention Directory Notifier

Durch einen Entwurfsfehler im Univention Directory Notifier Netzwerkprotokoll Version 2 kann jeder Benutzer an Informationen über Änderungen am LDAP-Verzeichnisdienst kommen. Ein neues Protokoll Version 3 wurde mit UCS 4.3-3 erratum 427 implementiert. Für die Kompatibilität mit alten UCS Systemen bot Univention Directory Notifier standardmäßig weiterhin Version 2 an. Beginnend mit UCS-4.4 bieten neue Installationen standardmäßig nur noch Version 3 an. Protokoll 2 kann reaktiviert werden, indem die Univention Configuration Registry-Variable notifier/protocol/version auf 2 geändert und Univention Directory Notifier neu gestartet wird.

§5.2. Erfassung von Nutzungsstatistiken

Bei Verwendung der UCS Core Edition werden anonyme Nutzungsstatistiken zur Verwendung von Univention Management Console erzeugt. Die aufgerufenen Module werden dabei von einer Instanz des Web-Traffic-Analyse-Tools Piwik protokolliert. Dies ermöglicht es Univention die Entwicklung von Univention Management Console besser auf das Kundeninteresse zuzuschneiden und Usability-Verbesserungen vorzunehmen.

Diese Protokollierung erfolgt nur bei Verwendung der UCS Core Edition. Der Lizenzstatus kann überprüft werden durch den Eintrag Lizenz -> Lizenzinformation des Benutzermenüs in der rechten, oberen Ecke von Univention Management Console. Steht hier unter Lizenztyp der Eintrag UCS Core Edition wird eine solche Edition verwendet. Bei Einsatz einer regulären UCS-Lizenz erfolgt keine Teilnahme an der Nutzungsstatistik.

Die Protokollierung kann unabhängig von der verwendeten Lizenz durch Setzen der Univention Configuration Registry-Variable umc/web/piwik auf false deaktiviert werden.

§5.3. Umfang des Sicherheits-Supports von WebKit, Konqueror und QtWebKit

WebKit, Konqueror und QtWebKit werden in UCS im maintained-Zweig des Repositorys mitgeliefert, aber nicht durch Sicherheits-Updates unterstützt. WebKit wird vor allem für die Darstellung von HTML-Hilfeseiten u.ä. verwendet. Als Web-Browser sollte Firefox eingesetzt werden.

§5.4. Empfohlene Browser für den Zugriff auf Univention Management Console

Univention Management Console verwendet für die Darstellung der Web-Oberfläche zahlreiche JavaScript- und CSS-Funktionen. Cookies müssen im Browser zugelassen sein. Die folgenden Browser werden empfohlen:

  • Chrome ab Version 71

  • Firefox ab Version 60

  • Safari und Safari Mobile ab Version 12

  • Microsoft Edge ab Version 18

Der Internet Explorer wird ab diesem Release nicht mehr von Univention Management Console unterstützt.

Mit älteren Browsern können Darstellungs- oder Performanceprobleme auftreten.

§Kapitel 6. Changelog

Die Changelogs mit den detaillierten Änderungsinformationen werden nur in Englisch gepflegt. Aufgeführt sind die Änderungen seit UCS 4.4-0:

§6.1. General

§6.2. Basic system services

§6.2.1. Boot Loader

  • Fix usage of Univention Configuration Registry Python module in univention-bootsplash. (Bug 49129)

§6.3. Domain services

§6.3.1. OpenLDAP

  • OpenLDAP restricts the number of returned entries when searching. This can be configured using the Univention Configuration Registry variable ldap/sizelimit, which defaults to 400k. This is not enough for univention-translog prune. Remove the limit for searches connecting via ldapi:///. (Bug 49505)
  • Use slaptest for LDAP schema checking in the ldap_extension module. (Bug 49596)
  • Increase the length of the LDAP root password (/etc/ldap/rootpw.conf) used for LDAP replication to improve security against brute force attacks. (Bug 48606)
  • By default univention-ldapsearch appends the argument -o ldif-wrap=no now. (Bug 48683)

§6.3.1.1. Listener/Notifier domain replication

  • The resync_objects.py helper script now respects the configured local LDAP port. (Bug 49228)
  • Check available file system space before writing transactions. (Bug 28233)
  • Fix regression from UCS 4.3-3 erratum 426 in cn=translog setup, which reset the LDAP indexes. (Bug 48971)
  • Since UCS 4.3-3 erratum 427 the Univention Directory Notifier (UDN) writes transactions both to the file /var/lib/univention-ldap/notify/transaction and the cn=translog database in OpenLDAP. A failed write to the later can make UDN abort, in which case UDN is restarted automatically and writes the pending transactions to said file again. This leads to inconsistency. The order has been swapped to prevent this issue from happening again. The transaction file might require manual corrections if UDN fails to start up properly. (Bug 49198)
  • Deprecated and unused code has been removed. (Bug 49277)
  • Add univention-translog check --fix command to check (and fix) inconsistency between the files /var/lib/univention-ldap/notify/transaction, /var/lib/univention-ldap/notify/transaction.index, /var/lib/univention-ldap/listener/listener, and /var/lib/univention-ldap/last_id. (Bug 49201)
  • Implement command univention-translog prune to prune old transactions from the transaction file and database. This can be used to save space.

    Warnung

    This procedure is dangerous and should ONLY be executed if ALL Univention Directory Listener (UDL) in the domain have processed all previous transactions. Otherwise the UDLs will no longer be able to process transactions and affected systems must be re-joined! Systems, which have not been running for some time or are restored from backup, must also be re-joined if their last processed transaction is no longer part contained in the purged translog. (Bug 48729)

§6.4. Univention Management Console

§6.4.1. Univention Management Console web interface

  • Change dependency of package univention-dojo-dev from openjdk-7 to default-jre-headless as the former is deprecated and no longer maintained. (Bug 49508)
  • The legacy path /umcp/ to access UMC backend has been removed. (Bug 49639)
  • The design of the UMC login page can now be adjusted via /usr/share/univention-management-console-login/css/custom.css. (Bug 49436)
  • UMC does not respond with an error anymore if no English locale is configured. (Bug 47602)
  • The UMC for UCS Core Editions shows a notification that informs about the UCS Ambassador Program. (Bug 49731)
  • Error messages during login or password changing are translated again. (Bug 49029)
  • The SAML identity provider is not configured in UMC anymore if it is disabled via the Univention Configuration Registry variable umc/web/sso/enabled. (Bug 48224)
  • The label and icon of some widgets are now configurable. (Bug 49730)
  • Notifications can now be shown non-truncated. (Bug 49731)
  • A cross site scripting vulnerability in umc.widgets.Editor has been fixed. This affected portal entries. (Bug 48812)
  • Preparations for better browser cache-control have been implemented. (Bug 48995)
  • It is possible to define standby animations for form dependencies now. (Bug 46919)
  • Password input fields can now have a button to show the password in clear text. (Bug 49099)
  • Grids can now automatically encode HTML entities (Bug 48972)

§6.4.2. Univention Portal

  • Portal entries which are limited to users are now shown when the user is logged in via email address. (Bug 49619)
  • Whether portal entries are opened in the same tab or a new tab is now configurable. (Bug 45318)
  • Debug statements where added to the portal server listener. (Bug 49113)
  • The file permissions for the cache directory of the Portal is now stricter. This prevents warnings in the System diagnostic UMC module. (Bug 48814)
  • Obsolete code has been removed. (Bug 48943)
  • The robustness of the univention-portal-server has been increased. (Bug 49526)
  • The univention-portal-server is reloaded after a server password rotation. (Bug 49746)

§6.4.3. Univention Management Console server

  • The error message for a failed password change has been improved. (Bug 48897)
  • The UCS identity provider configuration is always fetched when executing the joinscript 92univention-management-console-web-server.inst (Bug 48198)
  • Obsolete code has been removed. (Bug 48943)
  • The UMC now uses json instead of simplejson. (Bug 47377)
  • Corrupt translation files cannot cause UMC to crash anymore. (Bug 49775)
  • LDAP connection problems could result in an error loop, with the following error ldapError: Insufficient access. This has been fixed by ensuring a new connection is used after LDAP connection problems. (Bug 46089)
  • A crash of UMC in rare situations has been corrected. (Bug 48157)
  • The pam_cracklib behavior prior to UCS 4.3 erratum 450 has been restored. Therefore password changes do not require strong passwords anymore if no password policy is defined in the domain. (Bug 49239)

§6.4.4. Univention App Center

  • Log rotation for container logs has been enabled in the docker daemon, and can be configured via the Univention Configuration Registry variables docker/daemon/default/opts/log-driver (default json-file) and docker/daemon/default/map/log-opt (default max-file=4,max-size=10m). (Bug 47416)
  • Added a new listener to save a mapping for App Attributes that the UDM UMC module may read (Bug 48895)
  • Extended Attributes are only searched for in the correct LDAP container (Bug 48982)
  • A crash when registering attributes is prevented during the activation of new schema extensions. (Bug 45513)
  • Docker image verification was removed from the App Center code. Instead, we rely on the functions of Docker itself. (Bug 48670)
  • The App Center waits for a dpkg lock before attempting to install database software packages. If starting the database service fails anyway, we now send more verbose information. (Bug 48669)
  • The package univention-appcenter is now built with dh_python2. (Bug 49145)
  • A visual flickering in the App Center overview has been removed. (Bug 49089)
  • Create app password file on host before starting container. (Bug 49491)
  • The App Center now shows app suggestions based on already installed apps. (Bug 49510)
  • Handling of the docker-compose Univention Configuration Registry template file has been fixed. (Bug 49517)
  • Abort installation if machine.secret could not be copied into container. (Bug 49543)
  • Improve error handling during container start. (Bug 48881)
  • More debug messages during SetupFailed. (Bug 49625)
  • Do not revert (remove, reinstall old) after failed App update. (Bug 49645)
  • The docker App upgrade message has been changed. (Bug 49742)
  • Suggestions based on currently installed Apps are now dynamically loaded from the App Center server. (Bug 49770)

§6.4.5. Univention Admin Diary

  • The Admin Diary now displays dates correctly in Safari (Bug 49579)
  • HTML entities in the Diary overview are now properly encoded (Bug 48972)
  • Improve robustness and traceback logging. (Bug 49056)
  • Fix traceback in admindiary.client.write_event() in univention-updater occurring in Docker containers during docker build. (Bug 49056)

§6.4.6. Univention Directory Manager UMC modules and command line interface

  • A new package has been added which contains a prototype of a HTTP service for the Univention Directory Manager. (Bug 49667)
  • Creating reports of objects which reference not existing objects is possible again. This was the case for secretary of user objects and networks of computer objects. (Bug 47922)
  • Rely on the App Center listener to create the App Attributes mapping rather than doing it in the UMC module (Bug 48895)
  • Preparations for better browser cache-control have been implemented. (Bug 48995)
  • Requesting a Univention license activation during the initial system configuration has been repaired. (Bug 49384)
  • The computers/* UDM handlers now share a common base class. Code redundancy has therefore been reduced. (Bug 41659)
  • Searching for IP addresses of DNS host records is now possible. The Zone Time-to-Live and Mail Exchange properties of DNS objects aren't shown in the search field list anymore in UMC. (Bug 40668)
  • A crash of UDM is prevented which was caused by an extended attribute that overwrites a not existing layout group. (Bug 48551)
  • The object class univentionPolicyReference is now removed from objects when the last policy is dereferenced. (Bug 46466)
  • The search filter dnsAlias in the computer modules has been repaired. (Bug 31494)
  • Referenced portal entries and categories are now correctly updated when renaming or moving portal settings. (Bug 49526)
  • Stop caching machine connection in new UDM API for long running services. (Bug 49746)
  • It is now possible to specify LDAP server controls in some UDM handlers lookup() method. (Bug 49638)
  • Clean code by shortening univention.debug usage. (Bug 49422)
  • Explicit initialization of the default values of Univention Directory Manager properties has been removed from the code of all UDM modules. (Bug 49235)
  • The users/user UDM module now uses the LDAP filter univentionObjectType=users/user when searching for objects to increase performance. (Bug 48390)
  • When opening container objects, a lookup is performed to check whether this container is the default container for certain UDM objects. This lookup is now cached which makes opening many objects at once considerably faster. (Bug 49408)
  • After renaming an object the internal DN (self.dn) is updated correctly. The old DN can now be obtained via self.old_dn. This fixes the concurrent renaming and update of group membership for e.g. computer objects. (Bug 41694)
  • Several German translations have been updated. (Bug 49359)
  • Univention Directory Manager handlers now share a common base class. Code redundancy has therefore been reduced. (Bug 35687)
  • Default containers for domain controller computer objects can now be configured. (Bug 46919)
  • It is now possible again to modify the LDAP base, for example reference policies. This was broken since UCS 4.3-0. (Bug 46919)
  • udm users/user create without --set username does not cause a exception anymore. (Bug 48441)
  • Various LDAP filters are now escaped. (Bug 42791)
  • The use of obsolete univention.admin.config has been removed. (Bug 27804)

§6.4.7. Modules for system settings / setup wizard

  • A message is shown to warn about the inability to install Samba4 or UCS@school if a host name with more than 13 characters is chosen. (Bug 43326)
  • Fixed a special case for the initial domain join, the DC master hostname may now differ from the value read from the DNS server. (Bug 48134)
  • The unused dependency to python-simplejson has been removed. (Bug 35687)
  • Requesting a Univention license activation during the initial system configuration has been repaired. (Bug 49384)
  • For UCS@school: The setup process now includes a new confirmation prompt in UCS@school environments to make sure that the server should be set up with the correct UCS@school role (educational, administrative or central). (Bug 49271)

§6.4.8. Domain join module

  • If a failed.ldif file exists at the start of a join, it will be removed. (Bug 47603)
  • Fixed joining host into an UCS domain when using bonded network interfaces. (Bug 49298)
  • The path to /usr/sbin/univention-admin-diary-entry-create is now explicit in univention-join (Bug 48972)

§6.4.9. Users module

  • Prevent high CPU usage in the Users module. (Bug 47985)

§6.4.10. System diagnostic module

  • Updated sysvolcheck check (Bug 46643)
  • Remove the sysvolcheck as it reports irritating false positives for GPOs created via GPMC. (Bug 49335)

§6.4.11. Filesystem quota module

  • Previously, when quota policies were set on multiple shares that are located on the same mountpoint, a quota policy that had a value of zero (meaning no quota is enforced) would overwrite smaller quota policies. This behavior has been changed to always choose the smallest value. (Bug 48000)

§6.5. Univention base libraries

  • Split low-level C implementation from Python binding to simplify transition to using dh_python2 and adding Python 3 support. (Bug 49130)
  • Unify pure-python version debug2.py again with C-version debug.py. (Bug 46100)
  • Deprecate function class in favor of trace decorator. (Bug 43422)
  • Preparations for better browser cache-control have been implemented. (Bug 48995)
  • The python3-univention package dependencies have been adjusted. (Bug 49136)
  • The package dependency loop for python-univention-debug has been broken by introducing a new binary package python-univention-namespace. (Bug 49506)
  • It is now possible to specify LDAP server controls in the univention.uldap.access.search() methods. (Bug 49638)
  • The package univention-python now uses dh_python2 instead of python-support. Therefore Python modules are installed into /usr/lib/python2.7/dist-packages/univention/. (Bug 49140)

§6.6. System services

§6.6.1. DHCP

  • The setting for unknownClients from the UMC policy DHCP Scope is no longer applied to a DHCP pool statement. This is not allowed by the syntax of the DHCP daemon. (Bug 20222)

§6.6.2. DNS

  • Fix dependency header of legacy SysV init script to work in environments installed with UCS-4.2 or older and without Samba4. (Bug 49441)
  • The robustness of the listener for DNS zones has been improved. Certain LDAP DNS objects could cause path injection vulnerabilities causing arbitrary file reading and modifications as well as crashes of the bind service. (Bug 41005)

§6.6.3. Mail

  • LDAP ACL ordering on DC slaves allowed regular users access to private information. Reordering of ACLs fixes this issue. (Bug 48608)
  • Prevent creation of empty mailboxes in /var/spool/dovecot/private/ by unsuccessful login attempts of users without a primary mail address. (Bug 49038)
  • Add SNI Support to univention-mail-dovecot. Additional FQDNs and certificates can be configured with Univention Configuration Registry variable mail/dovecot/ssl/sni/$fqdn/certificate=$path_to_certificate and mail/dovecot/ssl/sni/$fqdn/key=$path_to_certificate_key (Bug 48485)

§6.6.4. PAM

  • An open SSH connection will now properly get closed when shutting down a system. (Bug 47233)

§6.6.5. SAML

  • The session duration of the identity provider is now configurable with the new Univention Configuration Registry variable saml/idp/session-duration. With this update, the default value for a SAML session is raised from 8 to 12 hours. (Bug 49503)
  • The design of the UMC single sign-on page can now be adjusted via /usr/share/univention-management-console-login/css/custom.css. (Bug 49436)

§6.6.6. Univention self service

  • Fixed links to the Self Service-App not working when the Univention Configuration Registry variable umc/self-service/profiledata/enabled is set to false. (Bug 45041)
  • The Self Service-App can now be styled via the /var/www/univention/self-service/css/custom.css CSS file. (Bug 49343)
  • Fix German translation. (Bug 49380)

§6.6.7. Printing services

  • It is now possible to use space characters in samba printer names. (Bug 48947)
  • A security vulnerability in the listener has been fixed which caused overwriting or removal of arbitrary files. (Bug 49296)
  • The package description has been fixed. (Bug 28681)
  • Fix regression caused by UCS 4.4-1 erratum 94 in ghostscript (Bug 49721)
  • The cups configuration in /etc/cups/cupsd.local.conf is applied again. Since UCS 4.3 erratum 149 the cups Include directive has been removed. Changes in the /etc/cups/cupsd.local.conf configuration require a ucr commit /etc/cups/cupsd.conf now. (Bug 48437)
  • The listener now handles DN syntax correctly. (Bug 43430)

§6.6.8. Nagios

  • A Nagios check for the cn=translog database has been added. (Bug 48422)
  • A Nagios check for the univention-directory-listener database has been added. To apply it on a slave domain controller, backup domain controller or member server execute: univention-run-join-scripts --force --run-scripts 30univention-nagios-client.inst (Bug 48617)

§6.6.9. Kerberos

  • The build system for the package univention-python-heimdal has been changed to dh_python2. (Bug 49139)

§6.6.10. NFS

  • A newline injection vulnerability has been fixed which allowed to add further entries to /etc/exports. (Bug 44054)

§6.7. Virtualization

§6.7.1. UCS Virtual Machine Manager (UVMM)

  • Re-connect VMs to bridges on network restart. (Bug 47701)
  • Use interleaved memory policy on NUMA architectures by default. (Bug 49574)
  • Fix Python traceback while handling select() exception. (Bug 49403)
  • Preparations for better browser cache-control have been implemented. (Bug 48995)
  • Re-compile libvirt with NUMA support enabled. (Bug 49574)
  • Since UCS 4.3 erratum 269 UVMM can be configured to check the CPU model before performing a live migration. Due to a bug in libvirt the use of host-model does not survive the creation of snapshots or suspend to disk and gets rewritten to the concrete CPU model of the host system. This has been fixed. Old snapshots created and domains suspended before this erratum might fail to start, in which case the CPU configuration must be manually removed from the XML description using virsh snapshot-edit or virsh save-image-edit respectively. (Bug 49425)

§6.8. Services for Windows

§6.8.1. Samba

  • Improve samba-tool ntacl sysvolcheck to reduce reporting false positives. This can be run by using new option --mask-msad-differences. Without the new option the reporting is unchanged. This is another step in the ongoing quest of improving the quality this tool for NTACL inheritance. (Bug 46643)
  • The folder windows-profiles in the home share is now hidden. (Bug 48541)
  • Several vulnerabilities in the listener for shares have been fixed: The name of shares are validated. The blacklist for share paths is now evaluated correctly. Configuration values are now correctly quoted to prevent injecting multiple further share entries. (Bug 44054)
  • Re-add auth methods option removed from upstream Samba sources (Bug 49426)
  • If samba fails to set the new password in a server password change, the changes will be reverted. (Bug 48541)
  • UCS will now use password generation from samba for administrator accounts (Bug 49193)
  • Set correct permissions for lock file on upstream server during sysvol synchronization. (Bug 48917)
  • Fix permissions of template files dns_update_list and spn_update_list. (Bug 49025)
  • Update to Samba 4.10.1 (Bug 49034)
  • Internal improvement: fixed quoting of shell variables. (Bug 48989)
  • When univention-samba4-backup fails, cron will automatically send system-mails to root. (Bug 49399)

§6.8.2. Univention S4 Connector

  • A trivial Univention Configuration Registry syntax error has been fixed in the joinscript (Bug 35237)
  • Remove lockingdb and s4cache during re-join (Bug 40773)
  • When the S4-Connector starts, it logged the group cache initialization at level INFO. In debugging situations that can lead to a lot of output in connector-s4.log which is hard to scroll. The log volume of the group cache init has been lowered to log level ALL. (Bug 48364)
  • The scripts remove_ucs_rejected.py and remove_s4_rejected.py now escapes SQL syntax. (Bug 49445)
  • Avoid rejects when DNS records have an uppercase DC attribute. (Bug 49643)
  • Fix traceback password sync_to_ucs for machine accounts. (Bug 49649)
  • The package now uses dh_python2 instead of python-support. Therefore Python modules are installed into /usr/lib/python2.7/dist-packages/univention/s4connector/. (Bug 49176)
  • The detection of a running univention-s4-connector has been enhanced. (Bug 49176)
  • Duplicated code for the detection of superordinates has been removed. (Bug 45068)
  • Dead code for obsolete custom attributes from UCS 2 has been removed. (Bug 41554)
  • Excluding sub-trees from synchronization by S4-Connector is now possible by configuring Univention Configuration Registry variables matching the pattern connector/s4/mapping/ignoresubtree/. (Bug 47008)
  • The use of obsolete univention.admin.config has been removed. (Bug 27804)

§6.8.3. Univention Active Directory Connection

  • Dead code for obsolete custom attributes from UCS 2 has been removed from univention-ad-connector. (Bug 41553)
  • References to the obsolete password service in univention-ad-connector have been removed. (Bug 49111)

§6.9. Other changes

  • The package univention-errata-level has been updated to reset the Univention Configuration Registry variable version/erratalevel to 0 (Bug 48654).
  • If samba fails to set the new password in a server password change, the changes will be reverted. (Bug 49193)
  • The function getRootDnConnection() has been fixed. (Bug 49024)
  • The LDAP ACLs for read access to cn=monitor can now be extended via Univention Configuration Registry variables. (Bug 49387)
  • Fix escaping of LDAP DN, filters and shell arguments (Bug 46323)
  • The creation of a default LDAP server policy is now configurable via the Univention Configuration Registry variable ldap/create-ldap-server-policy. (Bug 49386)
  • Log stderr if LDAP schema validation fails. (Bug 49500)
  • A symlink and code execution vulnerability has been fixed in univention.lib.listenerSharePath. (Bug 44054)
  • Python 3 compatibility for univention.lib.admember has been enhanced. (Bug 49176)
  • A path traversal vulnerability in the ldap_extension.py listener utilities has been fixed. (Bug 41780)
  • The detection of running services has been enhanced. (Bug 49176)
  • The script univention-policy-update-config-registry now has a new option to specify the LDAP server from which to get the policies. (Bug 35208)
  • Multiple rsyslog remote servers can now be specified in the Univention Configuration Registry variable syslog/remote. (Bug 48508)
  • Univention Configuration Registry templates which generate binary data have been fixed. This was broken since UCS 4.4-1 erratum 167 and could cause crashes of Univention Management Console due to corruptly generated translation files. (Bug 49775)
  • Make the systemd service timeout for mysqld configurable via the Univention Configuration Registry variable mariadb/startup/timeout. (Bug 46901)
  • The escaping of LDAP filters and distinguished names has been corrected. (Bug 40055)
  • Reconnect to DRS service in case the DRS replication for the password synchronization fails. (Bug 45127)
  • Default containers for computers/domaincontroller_master objects can now be configured. During the upgrade every default container for computer objects are set as default container for computers/domaincontroller_master except cn=computers and cn=memberservers,cn=computer. (Bug 46919)
  • Re-add accidentally dropped patch to insserv to ignore files ending on .debian. (Bug 49441)
  • ucs-lint: Also ignore temporary directory used by dh_python2. (Bug 42480)
  • ucs-lint: Fixed applying debian/ucslint.overrides when used with paths. (Bug 49520)