Changelog for Univention Corporate Server (UCS) 5.0-4#

General#

  • The following updated packages from Debian 10.13 are included: 389-ds-base, acmetool, amanda, aptly, asterisk, binwalk, c-ares, connman, distro-info-data, dnscrypt-proxy, duktape, epiphany-browser, etcd, ffmpeg, fscrypt, g10k, git, gitlab-shell, gitlab-workhorse, gobuster, gokey, golang-1.11, golang-github-opencontainers-selinux, golang-go.crypto, golang-websocket, gopass, graphite-web, grunt, haproxy, hub, hugo, jackson-databind, joblib, jruby, json-smart, kamailio, keepalived, kopanocore, libapache2-mod-auth-mellon, libapache2-mod-auth-openidc, libdatetime-timezone-perl, libgit2, libmicrohttpd, libraw, libreoffice, libsdl2, libssh, linux-5.10, linux-signed-5.10-amd64, lldpd, maradns, mono, mpv, nbconvert, netatalk, node-css-what, nodejs, node-nth-check, node-url-parse, notary, nvidia-graphics-drivers-legacy-390xx, obfs4proxy, openimageio, openjdk-11, openvswitch, packer, protobuf, pypdf2, python-django, python-werkzeug, rainloop, rclone, redis, restic, ruby2.5, ruby-rack, ruby-sidekiq, shim-signed, snapd, sniproxy, snort, sofia-sip, sox, spip, sqlite, sqlparse, sssd, svgpp, syncthing, syslog-ng, sysstat, texlive-bin, thunderbird, tomcat9, trafficserver, tzdata, udisks2, webkit2gtk, wireless-regdb, wireshark, xapian-core, xfig, xrdp, zabbix

Univention Configuration Registry#

  • Future compatibility with Python 3.11 has been added (Bug #55632).

Changes to templates and modules#

  • A wrong Python format string in the rsyslog configuration has been fixed, which is used by the following Univention Configuration Registry Variables (Bug #56042): syslog/input/udp, syslog/input/tcp, and syslog/input/relp.

  • Allow NFS shares to be mounted on exporting host itself to prevent data-loss on shared access (Bug #50193).

  • The deprecated command univention-keyboardmapping has been removed (Bug #50193).

Listener/Notifier domain replication#

  • Future compatibility with Python 3.11 has been added (Bug #55632).

  • The fix for Bug #54986 introduced an issue with the handling of start- stop-daemon that could result in an error message during systemctl restart univention-directory-notifier (Bug #55957).

  • Implement univention-translog reindex to re-built the transaction index file in case it gets corrupted. Univention Directory Notifier (UDN) already has code to maintain the index, but after certain error cases the index may become corrupt and has to be re-built. The code in UDN isn’t optimized to re-index many transactions in batch and shows performance issues for large transaction files (Bug #54797).

  • All new Object Identifiers (OIDs) for internally defined object classes (OCs) and attribute types (ATs) from OpenLDAP 2.5 have been added to the exclude list of Univention Directory Listener module replication.py. Also all OIDs of OCs and ATs provided internally by OpenLDAP modules have been added. The list of excluded OIDs is no longer maintained in replication.py itself, but is now stored in the file /usr/share/univention-ldap/oid_skip (Bug #55927).

Univention Management Console web interface#

  • Future compatibility with Python 3.11 has been added (Bug #55632).

  • It is now possible to access UDM modules with numbers in their name through the UDM REST API (Bug #55551).

  • The debug level is now correctly passed to child processes if it’s set through UCR (Bug #56051).

  • Updated the copyright file. We don’t ship icons from iconmonstr.com since UCS 5.0 (Bug #55862).

  • Form input fields that load values now show a standby animation (Bug #56053).

  • Text within disabled text boxes in the light theme is now displayed with better contrast when viewed in the Safari browser (Bug #55939).

Univention Portal#

  • The Portal is now able to display announcements, which are realized through a new UDM module portals/announcement (Bug #55175).

  • The old UDM modules for the UCS 4.4 Portal have been renamed to better distinguish between them in the web user interface (Bug #55409).

  • The documentation wasn’t specific enough about what command to run, after the Univention Configuration Registry Variable portal/default-dn changed. Running univention-portal update after changing the Univention Configuration Registry Variable is enough (Bug #55871).

  • The Choose a tab dialog box now displays tabs with their background color (Bug #55919).

  • Updating the portal information now uses a local UDM connection, thus removing potential load on the Primary Node in large environments (Bug #56113).

  • Future compatibility with Python 3.11 has been added (Bug #55632).

  • The self-service notifications no longer show mixed language (English and German) when users modify their profile or change their password (Bug #55664).

Univention Management Console server#

  • The Univention Management Console server and web server have been merged into a single executable. The implementation now uses Tornado instead of the UCS specific Python Notifier implementation (Bug #43633).

  • Restarts of the Univention Management Console in Debian maintainer scripts and join scripts are now done using deb-systemd-invoke to respect policy layer (Bug #54586).

  • Disable the SOAP binding for single sign-out in the identity provider metadata to make sure UCS doesn’t use SOAP for the UMC SAML logout (Bug #56069).

  • The join script now uses Python 3 instead of Python 2 to update SAML metadata. Future compatibility with Python 3.11 has been added (Bug #55632).

  • The error message shown during password reset or change now appends the text from the Univention Configuration Registry Variable umc/login/password-complexity-message/.* when password complexity criteria don’t match (Bug #55529).

  • The usage of multiple languages in various messages, such as notifications, has been eliminated (Bug #55664).

  • For UCS 5.0-3 the UMC services where converted to systemd. These services are essential to continue running even when updates are installed from UMC. Due to an oversight the first UCS 5.0 erratum 583 triggered a latent bug, which causes the service to stop during the upgrade, which kills any web session and cancels the update process running in the background. This update adds a mitigation to prevent the service from stopping during the update (Bug #55753).

  • A missing Python 2.7 dependency has been added so that UMC modules using Python 2.7 work again (Bug #55752).

  • Building the downstream package Univention System Setup failed because of some missing package dependencies in Univention Management Console. They have been added with UCS 5.0-3 and changed by UCS 5.0 erratum 595, but were added to the wrong binary packages (Bug #55776).

  • A crash of the UMC server and UMC web server is now prevented (Bug #55959).

  • The Univention Configuration Registry template for the Apache configuration in UMC multiprocessing mode has been repaired (Bug #55726).

  • The UMC join script won’t overwrite the Univention Configuration Registry Variable umc/saml/idp-server during execution (Bug #55951).

  • The script univention-management-console-client now accesses UMC through the HTTP interface instead of the deprecated UMCP (Bug #55913).

  • Some missing German translations have been added (Bug #56010).

Univention App Center#

  • The message and the button label in the UMC App Center presented when a pinned App should be removed or upgraded was made more consistent (Bug #55679).

  • Some installation code now runs with Python 3 instead of Python 2. Future compatibility with Python 3.11 has been added (Bug #55632).

  • The App Center listener now removes files from its queue that contain entryUUIDs whose corresponding UDM objects can’t be found. These files can’t be processed by the listener and would otherwise remain in the queue forever and cause infinite error logging (Bug #56072).

  • The command univention-app shell now supports the option --service_name to specify the docker compose service name where the command is executed in (Bug #56038).

  • Error messages during app installations are now being translated (Bug #55664).

  • The App Center now supports adding custom settings to an app with a file /var/lib/univention-appcenter/apps/$APP_ID/custom.settings. This file has the same format as the standard App Center settings file (Bug #55765).

Univention Directory Manager and command line interface#

  • The usability of the shares module has been overhauled (Bug #44997, Bug #40599, Bug #7843, Bug #31388, Bug #42805, Bug #44997, Bug #50701, Bug #53785, Bug #19868, Bug #21349).

  • The Simple UDM API now has a parameter to initialize a machine connection against the local slapd (Bug #56113).

  • Newly set passwords are now always added to the password history even if the check for password history is disabled (Bug #56020).

  • Future compatibility with Python 3.11 has been added (Bug #55632).

  • The syntax for IComputer_FQDN was using a wrong regular expression, which did accept some invalid values and was also susceptible to a regular expression denial of service vulnerability (Bug #33684).

  • Problems during concurrently reloading of UDM modules have been resolved (Bug #54597).

  • Policies are now correctly written back in the Simple UDM API (Bug #56146).

Modules for system settings / setup wizard#

  • Future compatibility with Python 3.11 has been added (Bug #55632).

Domain join module#

  • Future compatibility with Python 3.11 has been added (Bug #55632).

  • The binary package univention-management-console-module-join has been split from the source package univention-join into a separate one to prevent a circular build dependency (Bug #55870).

  • The package is now using the latest ldb version (Bug #55892).

System diagnostic module#

  • Two messages in the SAML certificate diagnostic check contained a typographical error (typo) in the German translation. The messages show up when the diagnostic check complains about SAML certificates. The typo has been fixed (Bug #55874).

  • Future compatibility with Python 3.11 has been added (Bug #55632).

File system quota module#

  • Translations for the search bar in the UMC module Filesystem quotas have been added (Bug #55664).

Other modules#

  • Future compatibility with Python 3.11 has been added (Bug #55632).

Univention base libraries#

Software deployment#

  • Fix the link to the release notes of future UCS releases (Bug #55667).

  • Fixed a regression where the UCS updater did ignore the URL path of components when creating the list of repositories in the file /etc/apt/sources.list.d/20_ucs-online-component.list (Bug #55636).

  • A pre update check is now executed with Python 3 instead of Python 2 (Bug #55632).

Docker#

  • Containers using glibc version 2.34 or above require the system calls clone3 and faccessat2. These system calls have been added to the default docker seccomp rules that are used by single container apps in the App Center. (Bug #55360).

SAML#

  • SimpleSAMLPHP is configured as a service provider in Keycloak, meaning it acts as a proxy and uses Keycloak as a backend. This is part of the migration from SimpleSAMLPHP to Keycloak in UCS (Bug #56074).

  • New commands have been added to univention-keycloak to create attribute mappers from the LDAP object to the internal Keycloak object (user- attribute-ldap-mapper) and to create user attribute mappers and name identifier mappers for SAML clients (saml-client-user-attribute-mapper, saml-client- nameid-mapper, Bug #56096).

  • The package univention-keycloak now supports the keycloak/server/sso/path app setting from the Keycloak app (Bug #56022).

  • The command upgrade-config has been added to univention-keycloak. This is used during upgrades of the Keycloak app to update the domain wide Keycloak configuration (Bug #55866).

  • Sub-commands for registering LDAP mapper, password update and self service extensions have been added to univention-keycloak (Bug #55663).

Univention self service#

  • A regression introduced in UCS 5.0-3 has been fixed, which caused that accessing available password reset methods wasn’t possible anymore (Bug #55684).

  • The error message shown during password reset or when creating a new account now appends the text from the Univention Configuration Registry Variable umc/login/password-complexity- message/.* when password complexity criteria didn’t match (Bug #55529).

  • Self-service user attributes specified in Univention Configuration Registry Variable self-service/udm_attributes can be configured as read-only through the Univention Configuration Registry Variable self-service/udm_attributes/read-only (Bug #55733).

Mail services#

  • The migration of Fetchmail extended attributes has been moved to the join script univenition-fetchmail to fix errors in environments where univention-fetchmail is installed on a non-primary node. The old extended attributes have also been restored to fix errors in environments where univention-fetchmail is running on a server that hasn’t yet been upgraded (Bug #55882).

  • New checks have been added to the script migrate-fetchmail.py to avoid errors during execution when a Fetchmail configuration is incomplete (Bug #55893).

  • Fixed error in UDM caused by the syntax of Fetchmail extended attributes. The bug occurred when hooks of other extended attributes of the user module initialize a UDM module (e.g settings/extended_attribuets, Bug #55910).

  • Fix error in join script univention-fetchmail-schema execution caused by a script. On member nodes now the correct credentials are used to connect to LDAP. The join script also verifies if the file /etc/fetchmailrc exists (Bug #55766).

  • The hooks, syntax files and scripts are now installed on the package univention-fetchmail-schema to avoid errors in installations where univention-fetchmail is installed on Managed Nodes or Replica Directory Nodes (Bug #55681).

  • The listener module fetchmail now correctly loads the file /etc/fetchmailrc when there are entries from UIDs with a single character or with other valid characters like “’” (Bug #55682).

Printing services#

  • Updates no longer overwrite existing print-server configuration values with the defaults (Bug #55860).

  • Future compatibility with Python 3.11 has been added (Bug #55632).

  • cups has been updated, so that printing multiple copies now works (Bug #55886).

RADIUS#

  • It’s now possible to login with the mail primary address in addition to the username (Bug #55757).

  • The maximum TLS version has been changed to 1.2 to prevent issues with Microsoft Windows 10 and 11 clients. The maximum TLS version can be specified in the Univention Configuration Registry Variable freeradius/conf/tls-max-version (Bug #55247).

Proxy services#

  • Future compatibility with Python 3.11 has been added (Bug #55632).

Samba#

  • samba has been updated to version 4.18.3 (Bug #55907).

  • The AD password change has been moved to another package to avoid problems on systems that don’t have univention-samba installed (Bug #54390).

  • The logrotate configuration for samba-dcerpcd and :program:samba-bgqd has been fixed (Bug #55597).

  • The final restart of Samba at the end of a package update has been adjusted to the new daemon signature in the process list (Bug #55677).

  • Under special conditions, the listener module samba4-idmap.py wrote invalid values in the attributes xidNumber of the file idmap.ldb. During package update they will be fixed (Bug #55686).

  • When uploading printer drivers, PE files with a higher version now replace older files, regardless of the case of the filename (Bug #52051).

  • The Samba init scripts samba-ad-dc and samba now also stop the services samba-dcerpcd and samba-bgqd (Bug #55727).

  • In scenarios where a UCS AD domain runs next to a native Microsoft AD domain with an AD-Connector that mirrors users and password hashes between both, the option auth methods is usually adjusted on the UCS AD DCs to make access to SMB shares hosted on UCS member servers possible for Microsoft AD users without needing to type in their password again. Since UCS 5.0 this broke Samba logon on the UCS AD DCs themselves. The Samba patch has been adjusted to only consider the method sam_ignoredomain from the list of values specified through the Univention Configuration Registry Variable samba/global/options/"auth methods" or directly in the Samba local.conf as configuration parameter auth methods. If Samba finds this particular method in the Samba configuration, then it now only appends it to the standard list of authentication methods, rather than replacing the standard list completely. This approach should be more robust with respect to Samba release updates (Bug #55727).

  • Running the init script samba-ad-dc with the operation restart left Samba in a state that didn’t recognize non-local domains. It has been made more robust by taking care that nmbd is started again before the main samba daemon (Bug #55727, Bug #55678).

  • In domains with larger numbers of users the command wbinfo -u didn’t return any results (Bug #55962).

  • By default allow the KDC to issue services tickets using AES encryption. Prior to UCS 5.0-4, by default Samba only issued service tickets that use the RC4 cipher (also known as arcfour) as ticket encryption type. This default applies unless a service principal explicitly has msDS-SupportedEncryptionTypes set in the SAM database, which is the case for domain controllers, which explicitly also support AES as ticket encryption type for service tickets, for example for SMB or DCERPC. With UCS 5.0-4, the Samba configuration now additionally supports AES ticket encryption types for service tickets by default. This is controlled by a new Univention Configuration Registry Variable samba/kdc_default_domain_supported_enctypes (Bug #56077).

Univention S4 Connector#

  • Handling of rejects due to invalid pickle files has been repaired (Bug #55774).

  • The script resync_object_from_ucs.py has an option --first which allows a particular DN or filtered list of DNs to be replicated with priority. This update fixes the sort order to actually put the DNs to the first position in the synchronization queue (Bug #55880).

  • If the system was upgraded from UCS 4.4 and had rejected objects the internal SQLite database was corrupted. The database will be repaired (Bug #54586).

  • The check for a running S4-Connector is now checking for Python 3 only processes (Bug #55632).

  • A translation for the MS group policy attribute has been added (Bug #55664).

Univention Active Directory Connection#

  • If the system was upgraded from UCS 4.4 and had rejected objects the internal SQLite database was corrupted. The database will be repaired (Bug #54587).

  • A server password change script for AD member mode has been moved from univention-ad-connector to univention-role-server-common to cover different use cases (Bug #55940).

  • Handling of rejects due to invalid pickle files has been repaired (Bug #55774).

  • The check for a running AD-Connector is now checking for Python 3 only processes (Bug #55632).

  • A new server password change script has been added for AD member mode (Bug #54390).

Other changes#

  • Content-Security-Policy is removed from UCS realm init configuration, since it is handled by Apache configuration (Bug #55866).

  • This extension allows a group of people to reset the passwords of other users. Privileged users can be exempted, for example Domain Admins. The set of these users is stored in Univention Configuration Registry Variable ldap/acl/user/passwordreset/internal/groupmemberlist/, but the ordering was not stable and could change on each invocation of ldap-group-to-file.py. This lead to a restart of slapd, which interrupted access to LDAP on a regular basis. This has been fixed by sorting the users and restarting slapd only when the set of users changes (Bug #56099).

  • The scripts of univention-l10n to manage translation are now executed with Python 3 instead of Python 2 (Bug #55632).

  • Future compatibility with Python 3.11 has been added (Bug #55632).