Table of Contents
With Univention Corporate Server 3.2-1, the first point release for Univention Corporate Server (UCS) is now available. It includes all errata updates issued for UCS 3.2-0:
The Linux kernel package was updated to 3.10.26. Besides many bugfixes this also improves the hardware support.
The Univention App Center was extended: Beside several bugfixes new interfaces are provided which improve the integration of third party applications.
Univention AD Takeover - the UCS solution for the automatic migration of an Active Directory domain to UCS - was improved further; it now also support the migration of AD domains operated in languages other than English or German.
Multiple usability enhancement in the Univention Management Console.
In environments with more than one UCS system, the update order of the UCS systems must be borne in mind:
The authoritative version of the LDAP directory service is maintained on the master domain controller and replicated on all the remaining LDAP servers of the UCS domain. As changes to the LDAP schemes can occur during release updates, the master domain controller must always be the first system to be updated during a release update.
It is generally advisable to update all UCS systems in one maintenance window whenever possible.
It must be checked whether sufficient disk space is available. A standard installation requires a minimum of 6 GB of memory. Depending on the scope of the existing installation, the update will require at least another 1 GB of memory for the downloading and installation of the packages.
For the update, a login should be performed on the console with the root user and then the update started there. Alternatively, the update can be initiated using the Univention Management Console.
Remote updating via SSH is not recommended as this may result in the update procedure being cancelled if the network connection is interrupted, for example, and this can affect the system.
If updating should occur over a network connection nevertheless, it must be verified that the update continues despite disconnection from the network.
This can be done, for example, using the tools screen and at, which are installed on all system roles.
Following the update, new or updated join scripts need to be executed.
This can be done in two ways: Either using the UMC module or by running the command univention-run-join-scripts as the user root.
Subsequently the UCS system should be restarted.
Pre-up and postup scripts are scripts which are run before and after release updates (e.g., for post-processing the update, for example by uninstalling obsolete packages). As of UCS 3.2, these scripts are cryptographically signed to prevent unauthorized modification. During the update and when mirroring the repository these signatures are checked. If they're invalid or missing, the action is aborted.
If a repository server is operated with UCS 3.1-x, it should be updated to UCS 3.2 before additional systems can be updated to UCS 3.2-1.
If it is not possible to update the repository server, the signature files must be downloaded manually:
LOCAL_DIR="/var/lib//univention-repository/mirror" SERVER="http://updates.software-univention.de" for release in 3.2-0 3.2-1; do for script in preup postup; do file="3.2/maintained/$release/all/$script.sh.gpg" wget -O "$LOCAL_DIR/$file" "$SERVER/$file" done done
Alternatively, it is also possible to disable the signature checks, which can be a security risk.
For the repository server this can be done by setting the Univention Configuration Registry variable repository/mirror/verify to false.
For the update the Univention Configuration Registry variable repository/online/verify must be set to false on all systems.
Anonymous usage statistics on the use of the Univention Management Console are collected when using the free for personal use version of UCS (which is generally used for evaluating UCS). The modules opened are logged in an instance of the web traffic analysis tool Piwik. This makes it possible for Univention to tailor the development of the Univention Management Console better to customer needs and carry out usability improvements.
This logging is only performed when the free-for-personal-use license is used. The license status can be verified by clicking on the cog symbol in the top righthand corner of the Univention Management Console and selecting . If Free for personal use edition is listed under , this version is in use. When a regular UCS license is used, no usage statistics are collected.
Indendepent of the licence used, the statistics generation can be deactivated by setting the Univention Configuration Registry variable umc/web/piwik to false.
In addition to the standard installation DVD there is also a medium with support for the Unified Extensible Firmware Interface standard (UEFI) available for the amd64 architecture.
It must be used instead of the standard DVD on systems which only support a UEFI boot.
Webkit, Konqueror and QtWebkit are shipped in the maintained branch of the UCS repository, but not covered with security support. Webkit is primarily used for displaying HTML help pages etc. Firefox should be used as the web browser.
Univention Management Console uses numerous Javascript and CSS functions to display the web interface. Cookies need to be permitted in the browser. The following browsers are recommended:
Chrome as of version 14
Firefox as of version 10
Internet Explorer as of version 9
Safari (on the iPad 2)
Users with older browsers may experience display or performance problems.
Some Active Directory functions are currently not available in Samba 4:
Microsoft Windows domain controllers must not be joined in a Samba 4 domain currently.
Selective replication is not possible with Samba 4 as this is not supported by Active Directory in principle (in UCS@school selective replication is implemented through the listener/notifier replication mechanism).
Samba 4 does not currently support forest domains.
Samba 4 does not currently support trust relationships.
Further information can be found in Chapter 8 of the [ucs-handbuch].
During the installation of UCS in the virtualization solution VirtualBox, a VirtualBox bug may appear which has been corrected in version 4.2: if UCS has been successfully installed and the DVD is still in the disk drive, the installation DVD offers the option . If you select this option, VirtualBox freezes.
For Linux distributions which still use Virtualbox 4.0 or 4.1, either the installation DVD should be removed from the drive settings of the VirtualBox VM or F12 pressed when starting the virtual instance and the hard drive selected as a boot partition as a workaround before starting the UCS VM. UCS will then start successfully.
When UCS is installed in the virtualization solution Citrix XenServer 6.0 - 6.2, the Grub menu of the Univention installer is not shown with the Cirrus graphics card emulated as standard. The Univention Installer can be started directly by pressing the ENTER key; alternatively, the installation starts automatically after sixty seconds. The Univention Installer which then starts is displayed as normal.
To display Grub correctly, the graphics card emulated by XenServer can be reconfigured.
This is done by logging on to the XenServer system as the root user.
Firstly, the xe vm-list command is used to determine the UUID of the virtual machine.
The following command is then used to reconfigure the emulated graphics card to VGA:
xe vm-param-set uuid=UUIDVM platform:vga=std
There are two basic procedures for migrating Samba 3 to Samba 4:
Setup of a parallel Samba 4 domain. Both domains use different NetBIOS names and SIDs. The clients then join the Samba 4 step by step.
Migration of all systems within one maintenance window.
Both procedures are documented in detail in the Univention Wiki: http://wiki.univention.de/index.php?title=Migration_from_Samba_3_to_Samba_4.
If the Xen hypervisor is used and the memory limit for the Dom0 has been configured using the Univention Configuration Registry-Variable grub/xenhopt, the value should be updated to include the ,max: part as well.
See the http://wiki.univention.de/index.php?title=UVMM_Quickstart-3.1/en#Configuring_the_Dom0 for details.
Listed are the changes since UCS 3.2-0:
/usr/include/asm/ to the different location
/usr/include/gnu-*-linux/asm/, which broke compiling other
software. This change was reverted (Bug 33924).
/etc/security/limits.conf has been increased to 32768. This value can be
changed by setting the Univention Configuration Registry variables security/limits/default/user/soft/nofile
and security/limits/default/user/hard/nofile (Bug 32415).
univention-ldapsearch now accepts the command line options
--binddn, --bindpwd and
--bindpwdfile for authentication.
ldap/index/ (Bug 33430).
groups/default/* (Bug 33645).
users/default/*. These variables are managed
automatically by a Univention Directory Listener module and should usually not be
adjusted manually (Bug 33890).
univention-add-app now works through proxies (Bug 33542).
Fixed an error in the usage information of the option --latest (Bug 31410).
updater.status
file (Bug 33548).
urandom is deactivated until the appliance mode is
finished. This avoids having the same random seed in templates. Also recreate SSH and SSL
keys during boot if the files are missing (Bug 30034).
update/available
(Bug 33762).
cups-pdf://. This has been corrected (Bug 33383).
ucs_registerLDAPExtension to let join scripts continue in case an
LDAP extension could not be registered because a newer one is already active in the domain
(Bug 33582).
custom_groupname maps the
default group names to the actual name (Bug 33649).
custom_username maps the
default user names to the actual name (Bug 33710).
s4 has been added for Samba-related operations (Bug 33893).
/etc/univention/ssl/ and the files
contained in it where mangled on certificate renewal via the UMC module . New certificates created using
univention-certificate new were created with incorrect
permissions. This update fixes these issues, making sure that the group DC
Backup Hosts has access to the certificates (Bug 31941).
ntp/noquery which can be set to true to disable most queries including
the "monlist" function and thus mitigates this issue. The regular time service of NTP
will continue to serve time updates independent of the value of the variable. After
setting the variable the NTP service needs to be restarted in the "System services"
module of the Univention Management Console or with the command /etc/init.d/ntp restart.
It is recommended to set this variable on UCS systems that exposes the NTP
service to the internet. On installations with UCS 3.2-1 the variable is automatically
set (Bug 33834).
samba/winbind/rpc/only is set to yes trusts relations
to Microsoft Windows AD domains are possible again (Bug 33303).
samba/global/options/* was
fixed (Bug 28722).
create_spn_account.sh failed in case the generated random
password started with a dash. This has been fixed (Bug 32938).
ldapsearch-wrapper has been added to
univention-ldapsearch calls in Samba setup scripts to prevent line
wrapping of LDAP search results (Bug 33583).
well-known-sid-name-mapping.py implements a mechanism for domain-wide
customisation of account names for well known Windows/Samba SIDs. It sets the Univention Configuration Registry variables
groups/default/* and users/default/* in case accounts with
well known SIDs are renamed (Bug 33897).
firefox to hang when accessing the UMC in a local
session (Bug 34125).
[ucs-handbuch] Univention GmbH. 2013. Univention Corporate Server - Manual for users and administrators. http://docs.univention.de/manual-3.2.html.