8.4. Basic system services#
This chapter describes basic system services of a UCS Installation such as the configuration of the PAM authentication framework, system logs and the NSCD.
8.4.1. Administrative access with the root account#
There is a
root account on every UCS system for complete administrative
access. The password is set during installation of the system. The root user
is not stored in the LDAP directory, but instead in the local user accounts.
The password for the root user can be changed via the command line by using the passwd command. It must be pointed out that this process does not include any checks regarding either the length of the password or the passwords used in the past.
8.4.2. Configuration of language and keyboard settings#
In Linux, localization properties for software are defined in so-called locales. Configuration includes, among other things, settings for date and currency format, the set of characters in use and the language used for internationalized programs. The installed locales can be changed in the UMC module Language settings under . The standard locale is set under Default system locale.
The Keyboard layout in the menu entry Time zone and keyboard settings is applied during local logins to the system.
8.4.3. Starting/stopping system services / configuration of automatic startup#
The UMC module System services can be used to check the current status of a system service and to start or stop it as required.
In this list of all the services installed on the system, the current running runtime status and a Description are displayed under Status. The service can be started, stopped or restarted under more.
By default every service is started automatically when the system is started. In some situations, it can be useful not to have the service start directly, but instead only after further configuration. The action Start manually is used so that the service is not started automatically when the system is started, but can still be started subsequently. The action Start never also prevents subsequent service starts.
8.4.4. Authentication / PAM#
Authentication services in Univention Corporate Server are realized via Pluggable Authentication Modules (PAM). To this end different login procedures are displayed on a common interface so that a new login method does not require adaptation for existing applications.
126.96.36.199. Limiting authentication to selected users#
By default only the
root user and members of the
Domain Admins group can
login remotely via SSH and locally on a
This restriction can be configured with the Univention Configuration Registry Variable
auth/SERVICE/restrict. Access to this service can be authorized by
setting the variables
Login restrictions are supported for SSH (
sshd), login on a tty
login), rlogin (
rlogin), PPP (
ppp) and other services
other). An example for SSH:
auth/sshd/group/Administrators: yes auth/sshd/group/Computers: yes auth/sshd/group/DC Backup Hosts: yes auth/sshd/group/DC Slave Hosts: yes auth/sshd/group/Domain Admins: yes auth/sshd/restrict: yes
8.4.5. Configuration of the LDAP server in use#
Several LDAP servers can be operated in a UCS domain. The primary one used is
specified with the Univention Configuration Registry Variable
ldap/server/name, further servers can be
specified via the Univention Configuration Registry Variable
Alternatively, the LDAP servers can also be specified via a LDAP server policy. The order of the servers determines the order of the computer’s requests to the server if a LDAP server cannot be reached.
By default only
ldap/server/name is set following the installation or
the domain join. If there is more than one LDAP server available, it is
advisable to assign at least two LDAP servers using the LDAP server policy in
order to improve redundancy. In cases of an environment distributed over
several locations, preference should be given to LDAP servers from the local
8.4.6. Configuration of the print server in use#
The print server to be used can be specified with the Univention Configuration Registry Variable
Alternatively, the server can also be specified via the Print server policy in the UMC module Computers.
8.4.7. Logging/retrieval of system messages and system status#
188.8.131.52. Log files#
All UCS-specific log files (e.g., for the listener/notifier replication) are
stored in the
/var/log/univention/ directory. Services write log messages their own
standard log files: for example, Apache to the file
The log files are managed by logrotate. It ensures that log files are
named in series in intervals (can be configured in weeks using the Univention Configuration Registry Variable
log/rotate/weeks, with the default setting being 12) and older log
files are then deleted. For example, the current log file for the Univention Directory Listener is
found in the
listener.log file; the one for the previous week in
Alternatively, log files can also be rotated only once they have reached a
certain size. For example, if they are only to be rotated once they reach a size
of 50 MB, the Univention Configuration Registry Variable
logrotate/rotates can be set to
The Univention Configuration Registry Variable
logrotate/compress is used to configure whether the
older log files are additionally zipped with gzip.
Log files located in the directory
each have their own Logrotate configuration. These log files have global and
specific Logrotate settings. The Univention Configuration Registry Variable
configures the global settings. The logrotate(8) documentation
describes the functionality in detail. UCS supports the following directives:
640 listener adm
If a configuration only applies to a specific log file, compose the Univention Configuration Registry Variable as
the log filename without the file suffix
184.108.40.206. Logging the system status#
univention-system-stats can be used to document the current system
status in the
/var/log/univention/system-stats.log file. The following
values are logged:
The free disk space on the system partitions (df -lhT)
The current process list (ps auxf)
Two top lists of the current processes and system load (top -b -n2)
The current free system memory (free)
The time elapsed since the system was started (uptime)
Temperature, fan and voltage indexes from lm-sensors (sensors)
A list of the current Samba connections (smbstatus)
The runtime in which the system status should be logged can be defined in Cron
syntax via the Univention Configuration Registry Variable
0,30 * * * *
for logging every half and full hour. The logging is activated by setting the
Univention Configuration Registry Variable
yes. This is the default since UCS 3.0.
220.127.116.11. Process overview via Univention Management Console module#
The UMC module Process overview displays a table of the current processes on the system. The processes can be sorted based on the following properties by clicking on the corresponding table header:
CPU utilization in percent
The username under which the process is running
Memory consumption in percent
The process ID
The menu item more can be used to terminate processes. Two different types of termination are possible:
The action Terminate sends the process a
SIGTERMsignal; this is the standard method for the controlled termination of programs.
- Force terminate
Sometimes, it may be the case that a program - e.g., after crashing - can no longer be terminated with this procedure. In this case, the action Force terminate can be used to send the signal
SIGKILLand force the process to terminate.
As a general rule, terminating the program with
SIGTERM is preferable as
many programs then stop the program in a controlled manner and, for example,
save open files.
18.104.22.168. System diagnostic via Univention Management Console module#
The UMC module System diagnostic offers a corresponding user interface to analyze a UCS system for a range of known problems.
The module evaluates a range of problem scenarios known to it and suggests solutions if it is able to resolve the identified solutions automatically. This function is displayed via ancillary buttons. In addition, links are shown to further articles and corresponding UMC modules.
8.4.8. Executing recurring actions with Cron#
Regularly recurring actions (e.g., the processing of log files) can be started at a defined time with the Cron service. Such an action is known as a cron job.
22.214.171.124. Hourly/daily/weekly/monthly execution of scripts#
Four directories are predefined on every UCS system,
/etc/cron.monthly/. Shell scripts which are placed in these directories
and marked as executable are run automatically every hour, day, week or month.
126.96.36.199. Defining local cron jobs in
A cron job is defined in a line, which is composed of a total of seven columns:
Weekday (0-7) (0 and 7 both stand for Sunday)
Name of user executing the job (e.g.,
The command to be run
The time specifications can be set in different ways. One can specify a specific
minute/hour/etc. or run an action every minute/hour/etc. with a
can also be defined, for example
*/2 as a minute specification runs an
action every two minutes.
30 * * * * root /usr/sbin/jitter 600 /usr/share/univention-samba/slave-sync
188.8.131.52. Defining cron jobs in Univention Configuration Registry#
Cron jobs can also be defined in Univention Configuration Registry. This is particularly useful if they are set via a Univention Directory Manager policy and are thus used on more than one computer.
Each cron job is composed of at least two Univention Configuration Registry variables.
JOBNAME is a general description.
cron/JOBNAME/commandspecifies the command to be run (required)
cron/JOBNAME/timespecifies the execution time (see Defining local cron jobs in /etc/cron.d/) (required)
As standard, the cron job is run as a user
cron/JOBNAME/usercan be used to specify a different user.
If an email address is specified under
cron/JOBNAME/mailto, the output of the cron job is sent there per email.
cron/JOBNAME/descriptioncan be used to provide a description.
8.4.9. Name service cache daemon#
Data of the NSS service is cached by the Name Server Cache Daemon (NSCD) in order to speed up frequently recurring requests for unchanged data. Thus, if a repeated request occurs, instead of a complete LDAP request to be processed, the data are simply drawn directly from the cache.
Since UCS 3.1, the groups are no longer cached via the NSCD for performance and stability reasons; instead they are now cached by a local group cache, see Local group cache.
The central configuration file of the (
/etc/nscd.conf) is managed by
Univention Configuration Registry.
The access to the cache is handled via a hash table. The size of the hash table can be specified in Univention Configuration Registry, and should be higher than the number of simultaneously used users/hosts. For technical reasons, a prime number should be used for the size of the table. The following table shows the standard values of the variables:
Default size of the hash table
With very big caches it may be necessary to increase the size of the cache
database in the system memory. This can be configured through the Univention Configuration Registry
As standard, five threads are started by NSCD. In environments with many
accesses it may prove necessary to increase the number via the Univention Configuration Registry Variable
In the basic setting, a resolved group or hostname is kept in cache for one
hour, a username for ten minutes. With the Univention Configuration Registry variables
nscd/passwd/positive_time_to_live these periods can be extended or
diminished (in seconds).
From time to time it might be necessary to manually invalidate the cache of the NSCD. This can be done individually for each cache table with the following commands:
$ nscd -i passwd $ nscd -i hosts
The verbosity of the log messages can be configured through the Univention Configuration Registry Variable
8.4.10. SSH login to systems#
When installing a UCS system, an SSH server is also installed per preselection. SSH is used for realizing encrypted connections to other hosts, wherein the identity of a host can be assured via a check sum. Essential aspects of the SSH server’s configuration can be adjusted in Univention Configuration Registry.
By default the login of the privileged
root user is permitted by SSH (e.g.
for configuring a newly installed system where no users have been created yet,
from a remote location).
If the Univention Configuration Registry Variable
sshd/permitrootis set to
without-password, then no interactive password request will be performed for the
rootuser, but only a login based on a public key. By this means brute force attacks to passwords can be avoided.
To prohibit SSH login completely, this can be deactivated by setting the Univention Configuration Registry Variable
The Univention Configuration Registry Variable
sshd/xforwarding can be used to configure
whether an X11 output should be passed on via SSH. This is necessary,
for example, for allowing a user to start a program with graphic output
on a remote computer by logging in with ssh -X
TARGETHOST. Valid settings are
The standard port for SSH connections is port 22 via TCP. If a different
port is to be used, this can be arranged via the Univention Configuration Registry Variable
8.4.11. Configuring the time zone / time synchronization#
The time zone in which a system is located can be changed in the UMC module Language settings under .
Asynchronous system times between individual hosts of a domain can be the source of a large number of errors, for example:
The reliability of log files is impaired.
Kerberos operation is disrupted.
The correct evaluation of the validity periods of passwords can be disturbed.
Usually the Primary Directory Node functions as the time server of a domain. With the
Univention Configuration Registry variables
timeserver3 external NTP servers can be included as time sources.
Manual time synchronization can be started by the command ntpdate.
Windows clients joined in a Samba/AD domain only accept signed NTP time
requests. If the Univention Configuration Registry Variable
ntp/signed is set to
yes, the NTP
replies are signed by Samba/AD.