UCS 3.2-5 Release Notes

Release notes for the installation and update of Univention Corporate Server (UCS) 3.2-5

Table of Contents

1. Univention Corporate Server (UCS) 3.2-5
2. Recommended update order for environments with more than one UCS server
3. Preparation of update
4. Postprocessing of the update
4.1. Operating a local repository server / pre-up/ post-up scripts
5. Further notes on selected packages
5.1. Collection of usage statistics when using the free-for-personal-use version
5.2. UEFI installation DVD
5.3. Scope of security support for Webkit, Konqueror und QtWebKit
5.4. Recommeded browsers for the access to the Univention Management Console
5.5. Restrictions in Samba 4 operation
5.6. Installation in VirtualBox
5.7. Installation in Citrix XenServer
5.8. Migration of a Samba 3 environment to Samba 4
5.9. Xen
6. Changelog
6.1. General
6.2. Basic system services
6.2.1. Linux kernel and firmware packages
6.2.2. Univention Configuration Registry
6.3. Domain services
6.3.1. OpenLDAP LDAP schema changes Listener/Notifier domain replication
6.4. Univention Management Console
6.4.1. Univention Management Console web interface
6.4.2. Univention Management Console server
6.4.3. Univention App Center
6.4.4. Basic settings / Appliance mode
6.4.5. Users module
6.4.6. Online update module
6.4.7. Policies
6.4.8. Printers module
6.4.9. Other modules
6.4.10. Univention Directory Manager command line interface and related tools
6.5. Software deployment
6.5.1. Software deployment command line tools
6.6. Univention Library
6.7. Virtualisation
6.7.1. Univention Virtual Machine Manager (UVMM)
6.7.2. Xen
6.7.3. Libvirt
6.8. Services for Windows
6.8.1. Samba
6.8.2. Univention S4 Connector
6.9. Other changes

Chapter 1. Univention Corporate Server (UCS) 3.2-5

The fifth point release for Univention Corporate Server (UCS) is now available in the form of Univention Corporate Server 3.2-5. The online repository provided by Univention can be used to update existing UCS systems or, alternatively, updates can be installed from an update DVD. There are also UCS 3.2-5 ISO images available for new installations. UCS 3.2-5 includes all the errata updates published for UCS 3.2-4. An overview of the most important changes:

  • Stability improvements of the management system in some situations

  • The update from UCS 3.2 to 4.0 has been simplified

  • Multiple improvements in the Samba 4/Active Directory integration of UCS, e.g. in the use of Microsoft SharePoint

Chapter 2. Recommended update order for environments with more than one UCS server

In environments with more than one UCS system, the update order of the UCS systems must be borne in mind:

The authoritative version of the LDAP directory service is maintained on the master domain controller and replicated on all the remaining LDAP servers of the UCS domain. As changes to the LDAP schemes can occur during release updates, the master domain controller must always be the first system to be updated during a release update.

It is generally advisable to update all UCS systems in one maintenance window whenever possible.

Chapter 3. Preparation of update

It must be checked whether sufficient disk space is available. A standard installation requires a minimum of 6 GB of disk space. Depending on the scope of the existing installation, the update will require at least another 1 GB of disk space for the downloading and installation of the packages.

For the update, a login should be performed on the console with the root user and then the update started there. Alternatively, the update can be initiated using the Univention Management Console.

Remote updating via SSH is not recommended as this may result in the update procedure being cancelled if the network connection is interrupted, for example, and this can affect the system. If updating should occur over a network connection nevertheless, it must be verified that the update continues despite disconnection from the network. This can be done, for example, using the tools screen and at, which are installed by default.

Chapter 4. Postprocessing of the update

Following the update, new or updated join scripts need to be executed. This can be done in two ways: Either using the UMC module Domain join or by running the command univention-run-join-scripts as the user root.

Subsequently the UCS system should be restarted.

4.1. Operating a local repository server / pre-up/ post-up scriptsFeedback

Pre-up and post-up scripts are scripts which are run before and after release updates (e.g., for post-processing the update, for example by uninstalling obsolete packages). As of UCS 3.2, these scripts are cryptographically signed to prevent unauthorized modification. During the update and when mirroring the repository these signatures are checked. If they're invalid or missing, the action is aborted.

If a repository server is operated with UCS 3.1-x, it should be updated to UCS 3.2 before additional systems can be updated to UCS 3.2-1 or newer.

If it is not possible to update the repository server, the signature files must be downloaded manually:

for release in 3.2-0 3.2-1 3.2-2 3.2-3 3.2-4 3.2-5; do
	for script in preup postup; do
		wget -O "$LOCAL_DIR/$file" "$SERVER/$file"

Alternatively, it is also possible to disable the signature checks, which can be a security risk. For the repository server this can be done by setting the Univention Configuration Registry variable repository/mirror/verify to false. For the update the Univention Configuration Registry variable repository/online/verify must be set to false on all systems.

Chapter 5. Further notes on selected packages

5.1. Collection of usage statistics when using the free-for-personal-use versionFeedback

Anonymous usage statistics on the use of the Univention Management Console are collected when using the free for personal use version of UCS (which is generally used for evaluating UCS). The modules opened are logged in an instance of the web traffic analysis tool Piwik. This makes it possible for Univention to tailor the development of the Univention Management Console better to customer needs and carry out usability improvements.

This logging is only performed when the free-for-personal-use license is used. The license status can be verified by clicking on the cog symbol in the top righthand corner of the Univention Management Console and selecting License information. If Free for personal use edition is listed under License type, this version is in use. When a regular UCS license is used, no usage statistics are collected.

Regardless of the licence used, the statistics generation can be deactivated by setting the Univention Configuration Registry variable umc/web/piwik to false.

5.2. UEFI installation DVDFeedback

In addition to the standard installation DVD there is also a medium with support for the Unified Extensible Firmware Interface standard (UEFI) available for the amd64 architecture.

It must be used instead of the standard DVD on systems which only support a UEFI boot.

5.3. Scope of security support for Webkit, Konqueror und QtWebKitFeedback

Webkit, Konqueror and QtWebkit are shipped in the maintained branch of the UCS repository, but not covered with security support. Webkit is primarily used for displaying HTML help pages etc. Firefox should be used as the web browser.

5.4. Recommeded browsers for the access to the Univention Management ConsoleFeedback

Univention Management Console uses numerous JavaScript and CSS functions to display the web interface. Cookies need to be permitted in the browser. The following browsers are recommended:

  • Chrome as of version 14

  • Firefox as of version 10

  • Internet Explorer as of version 9

  • Safari (on the iPad 2)

Users with older browsers may experience display or performance problems.

5.5. Restrictions in Samba 4 operationFeedback

Some Active Directory functions are currently not available in Samba 4:

  • Microsoft Windows domain controllers must not be joined in a Samba 4 domain and vice versa.

  • Selective replication is not possible with Samba 4 as this is not supported by Active Directory in principle (in UCS@school selective replication is implemented through the listener/notifier replication mechanism).

  • Samba 4 does not support forest domains.

  • Samba 4 does not support trust relationships.

Further information can be found in Chapter 8 of the [ucs-manual].

5.6. Installation in VirtualBoxFeedback

During the installation of UCS in the virtualization solution VirtualBox, a VirtualBox bug may appear which has been corrected in version 4.2: if UCS has been successfully installed and the DVD is still in the disk drive, the installation DVD offers the option Boot from first harddisk partition. If you select this option, VirtualBox freezes.

For Linux distributions which still use Virtualbox 4.0 or 4.1, either the installation DVD should be removed from the drive settings of the VirtualBox VM or F12 pressed when starting the virtual instance and the hard drive selected as a boot partition as a workaround before starting the UCS VM. UCS will then start successfully.

5.7. Installation in Citrix XenServerFeedback

When UCS is installed in the virtualization solution Citrix XenServer 6.0 - 6.2, the GRUB menu of the Univention installer is not shown with the Cirrus graphics card emulated as standard. The Univention Installer can be started directly by pressing the ENTER key; alternatively, the installation starts automatically after sixty seconds. The Univention Installer which then starts is displayed as normal.

To display GRUB correctly, the graphics card emulated by XenServer can be reconfigured. This is done by logging on to the XenServer system as the root user. Firstly, the xe vm-list command is used to determine the UUID of the virtual machine. The following command is then used to reconfigure the emulated graphics card to VGA:

xe vm-param-set uuid=UUIDVM platform:vga=std

5.8. Migration of a Samba 3 environment to Samba 4Feedback

There are two basic procedures for migrating Samba 3 to Samba 4:

  • Setup of a parallel Samba 4 domain. Both domains use different NetBIOS names and SIDs. The clients then join the Samba 4 step by step.

  • Migration of all systems within one maintenance window.

Both procedures are documented in detail in the Univention Wiki: http://wiki.univention.de/index.php?title=Migration_from_Samba_3_to_Samba_4.

5.9. XenFeedback

If the Xen hypervisor is used and the memory limit for the Dom0 has been configured using the Univention Configuration Registry-Variable grub/xenhopt, the value should be updated to include the ,max: part as well. See the http://wiki.univention.de/index.php?title=UVMM_Quickstart-3.1/en#Configuring_the_Dom0 for details.

Chapter 6. Changelog

Listed are the changes since UCS 3.2-4:

6.1. GeneralFeedback

All security updates issued for UCS 3.2-4 are included:
  • Package bsd-mailx: CVE-2014-7844 (Bug 37369)
  • Package eglibc: CVE-2012-6656 CVE-2014-0475 CVE-2014-5119 CVE-2014-6040 CVE-2014-7817 CVE-2014-9402 CVE-2015-0235 (Bug 33271).
  • Package firefox-de: CVE-2014-1587 CVE-2014-1589 CVE-2014-1590 CVE-2014-1592 CVE-2014-1593 CVE-2014-1594 CVE-2014-8634 CVE-2014-8638 CVE-2014-8639 CVE-2014-8641 (Bug 37140, Bug 37535)
  • Package firefox-en: CVE-2014-1587 CVE-2014-1589 CVE-2014-1590 CVE-2014-1592 CVE-2014-1593 CVE-2014-1594 CVE-2014-8634 CVE-2014-8638 CVE-2014-8639 CVE-2014-8641 (Bug 37140, Bug 37535)
  • Package libksba: CVE-2014-9087 (Bug 37034).
  • Package libtasn1-3: CVE-2014-3467 CVE-2014-3468 CVE-2014-3469 (Bug 35017)
  • Package libxml2: CVE-2014-0191 CVE-2014-3660 (Bug 35073)
  • Package linux: CVE-2014-0131 CVE-2014-2568 CVE-2014-4171 CVE-2014-4667 CVE-2014-5471 CVE-2014-5472 CVE-2014-3601 CVE-2014-5077 CVE-2014-6416 CVE-2014-6417 CVE-2014-6418 CVE-2014-3181 CVE-2014-3182 CVE-2014-3183 CVE-2014-3184 CVE-2014-3185 CVE-2014-3186 CVE-2014-7145 CVE-2014-7283 CVE-2014-6410 CVE-2014-7970 CVE-2014-7975 CVE-2014-3673 CVE-2014-3687 CVE-2014-3688 CVE-2014-3611 CVE-2014-3610 CVE-2014-7825 CVE-2014-7826 CVE-2014-7841 CVE-2014-8884 CVE-2014-9090 CVE-2014-9322 (Bug 35397, Bug 37143).
  • Package ntp: CVE-2014-9293 CVE-2014-9294 CVE-2014-9295 CVE-2014-9296 (Bug 37407).
  • Package openjdk-6: CVE-2014-2490 CVE-2014-4219 CVE-2014-4216 CVE-2014-4262 CVE-2014-4209 CVE-2014-4218 CVE-2014-4252 CVE-2014-4268 CVE-2014-4244 CVE-2014-4263 CVE-2014-4266 CVE-2014-6457 CVE-2014-6502 CVE-2014-6504 CVE-2014-6506 CVE-2014-6511 CVE-2014-6512 CVE-2014-6517 CVE-2014-6519 CVE-2014-6531 CVE-2014-6558 (Bug 35381).
  • Package openssl: CVE-2014-3570 CVE-2014-3571 CVE-2014-3572 CVE-2014-8275 CVE-2015-0204 CVE-2014-3566 CVE-2014-3567 CVE-2014-3568 (Bug 37493, Bug 36170)
  • Package openvpn: CVE-2014-8104 (Bug 37138).
  • Package php5: CVE-2014-1943 CVE-2014-2270 CVE-2014-0237 CVE-2014-0238 CVE-2014-3480 CVE-2014-0207 CVE-2014-4721 CVE-2014-4049 CVE-2014-3597 CVE-2014-3587 CVE-2014-3670 CVE-2014-3669 CVE-2014-3668 CVE-2014-8626 CVE-2014-3710 (Bug 34256).
  • Package samba: CVE-2014-8143 CVE-2015-0240 (Bug 37497, Bug 37731)
  • Package unzip: CVE-2014-8139 CVE-2014-8140 CVE-2014-8141 (Bug 37411)
  • Package xen-4.1: CVE-2014-8595 CVE-2014-8594 CVE-2014-9030 CVE-2014-8867 CVE-2014-8866 (Bug 36872).
  • Package xorg-server: CVE-2014-8091 CVE-2014-8092 CVE-2014-8093 CVE-2014-8094 CVE-2014-8095 CVE-2014-8096 CVE-2014-8097 CVE-2014-8098 CVE-2014-8099 CVE-2014-8100 CVE-2014-8101 CVE-2014-8102 (Bug 37272).

6.2. Basic system servicesFeedback

6.2.1. Linux kernel and firmware packagesFeedback

  • The Linux kernel has been updated to 3.10.62. This provides many bugfixes (Bug 35397, Bug 37143).
  • A regression in filesystem quota on ext2 filesystems has been fixed (Bug 37250).
  • A bug in ACL handling when using NFS file shares has been fixed (Bug 36990).

6.2.2. Univention Configuration RegistryFeedback

  • The file name for temporary files created by ucr commit now start with a dot to hide them by default (Bug 35954).

6.3. Domain servicesFeedback

6.3.1. OpenLDAPFeedback LDAP schema changesFeedback

  • The object class msGPOContainer has been extended to support the new attribute msNTSecurityDescriptor (Bug 36978). Listener/Notifier domain replicationFeedback

  • Fix shutdown of univention-directory-listener if failed.ldif exists (Bug 34761).

6.4. Univention Management ConsoleFeedback

6.4.1. Univention Management Console web interfaceFeedback

  • A display bug was resolved which showed scrollbars in the search input field in the user module when using the Chrome browser (Bug 35838).
  • A display but was resolved which caused the login button to be displaced when using the Firefox browser (Bug 34071).
  • Open the Software Update UMC module upon startup during release updates and show a information dialog about the current update process (Bug 37255).

6.4.2. Univention Management Console serverFeedback

  • Fix an error introduced in UCS 3.2-3 regarding the error handling of closed UMC module process sockets (Bug 36561).
  • Fixed a bug which prevented that UMC components could write into their logfiles (Bug 37159, Bug 37316).
  • Fix an error if the UMC server and the UMC module want to close the module process at the same time (Bug 37315).
  • Fixed handling of crashed UMC module processes (Bug 37379, Bug 37380).

6.4.3. Univention App CenterFeedback

  • A command to allow searching for multiple components at once has been added (Bug 37029).
  • The translation file for installed apps modules may have been corrupted during a release update. This has been fixed (Bug 36657).

6.4.4. Basic settings / Appliance modeFeedback

  • Fix the configuration of primary devices and MII monitoring in bonding network devices (Bug 36339, Bug 36341).

6.4.5. Users moduleFeedback

  • Simple authentication accounts can now be created much faster (the unnecessary UID locking is now omitted for these accounts) (Bug 34811).

6.4.6. Online update moduleFeedback

  • The hints and warning messages before or during the execution of a UCS update have been clarified (Bug 37254).
  • Extended the message shown in the UMC module if an app is blocking the update (Bug 37028).
  • List all blocking apps (or other components) in the UMC module (Bug 37029).

6.4.7. PoliciesFeedback

  • When executing a maintaince or release policy, a requested reboot is now only performed once all updates have been performed (Bug 37298).

6.4.8. Printers moduleFeedback

  • The Samba share option force printername was activated implictly during modifications of existing print shares. Now it only gets activated on new print shares and if the UCR variable samba/force_printername is not set to no or false (Bug 37475).

6.4.9. Other modulesFeedback

  • Fix killing and terminating of processes in the Process overview module if a backported python-psutil package is used (installed by some applications) (Bug 36439).
  • Remove references to the network object when deleting it (Bug 37377).

6.4.10. Univention Directory Manager command line interface and related toolsFeedback

  • Added support for the following operators in a UDM filter: <, <, <=, >=. (Bug 36970).

6.5. Software deploymentFeedback

6.5.1. Software deployment command line toolsFeedback

  • When using the command line tool univention-upgrade all components blocking an update are now displayed (Bug 37030).
  • Detect broken HTTP proxies like DansGuardian, which block downloading the Packages files and updater scripts while still signalling success (Bug 37031).
  • The update scripts have been adjusted to UCS 3.2-5 (Bug 37810).

6.6. Univention LibraryFeedback

  • Fix a bug introduced in UCS 3.2-3 in the atjobs library. It prevented e.g. the removal of room settings in the UCS@school computer room UMC module (Bug 36815).

6.7. VirtualisationFeedback

6.7.1. Univention Virtual Machine Manager (UVMM)Feedback

  • Handle failure to stop UVMMd during update more gracefully (Bug 37609).
  • Temporary files for noVNC token files are now created on the same partition to fix a problem with cross-device renaming (Bug 34725).
  • Paused VMs are now handled more similar to running VMs, which allows, for example, VNC to be used for paused VMs, too (Bug 35107).
  • Ignore errors reading UVMM profiles (Bug 37552).
  • The list of virtual machines now refreshes automatically in the UMC grid when leaving the detail page of a virtual machine (as actions taken there can influence the state of the machine). Also, the Univention Configuration Registry variable uvmm/umc/autosearch now only prevents the very first search on startup; manually clicking on the tree on the left refreshes the list even when autosearch is disabled. In addition, the grid is updated non-invasively at a configurable interval (Univention Configuration Registry variable uvmm/umc/autoupdate/interval) (Bug 35122).

6.7.2. XenFeedback

  • Fix decoding of hexadecimal escaped characters in description (Bug 36098).

6.7.3. LibvirtFeedback

  • Fix building the source package with newer Linux kernel headers (Bug 33974).

6.8. Services for WindowsFeedback

6.8.1. SambaFeedback

  • The Sharepoint document search showed no results due to failing group membership check. This has been fixed (Bug 37205).

6.8.2. Univention S4 ConnectorFeedback

  • GPO Security Descriptors can now be synchronised between OpenLDAP and the Samba directory service. By default this is not activated, an upcoming errata update for UCS@school 4.0 will make use of this feature (Bug 33768).
  • Ignore cn=Subschema and warn if the listener didn't pass entryUUID (Bug 35973).

6.9. Other changesFeedback


[ucs-manual] Univention GmbH. 2014. Univention Corporate Server - Manual for users and administrators. http://docs.univention.de/manual-3.2.html.