UCS 3.2 Release Notes

Release Notes für die Inbetriebnahme und Aktualisierung von Univention Corporate Server (UCS) 3.2


Inhaltsverzeichnis

1. Release-Highlights
2. Empfohlene Update-Reihenfolge für Umgebungen mit mehr als einem UCS-Server
3. Vorbereitung des Updates
3.1. Aktualisierung installierter Applikationen aus dem Univention App Center
3.2. Prüfung der BDB-Einstellungen bei Systemen mit Cyrus IMAP-Server (univention-mail-cyrus)
3.3. Anpassungen am Univention Directory Listener-Modul für Cyrus-Benutzer
3.4. Entfernte/nicht mehr unterstützte Komponenten
4. Nachbereitung des Updates
4.1. Migration auf GRUB 2
4.2. Migration von PostgreSQL 8.3 auf PostgreSQL 8.4
4.3. Update/Installation der Horde Groupware Webmail Edition
4.4. Aktualisierung der unterstützen Protokolle für Samba-Dateidienste
4.5. Betrieb eines lokalen Repository-Servers / Preup / Postup-Skripte
4.6. Nachträgliche Einrichtung der Synchronisation der Active Directory-Gruppentypen
4.7. Migration von Anpassungen der UCS-Startseite
5. Hinweise zum Einsatz einzelner Pakete
5.1. Erfassung von Nutzungsstatistiken bei Verwendung der Free-For-Personal-Use-Version
5.2. UEFI-Installations-DVD
5.3. Umfang des Sicherheits-Supports von Webkit, Konqueror und QtWebKit
5.4. Empfohlene Browser für den Zugriff auf die Univention Management Console
5.5. Einschränkungen im Samba 4-Betrieb
5.6. Installation in VirtualBox
5.7. Installation in Citrix XenServer
5.8. Migration einer Samba 3-Umgebung auf Samba 4
5.9. Xen
6. Changelog
6.1. General
6.2. Upgrade provisions (preup and postup scripts)
6.3. Univention Installer
6.3.1. Profile-based installation
6.4. Basic system services
6.4.1. Boot loader
6.4.2. Linux kernel and firmware packages
6.4.3. Univention Configuration Registry
6.4.4. Network interface configuration
6.4.5. Univention Firewall
6.5. Domain services
6.5.1. OpenLDAP
6.5.1.1. LDAP ACL changes
6.5.1.2. LDAP schema changes
6.5.1.3. Listener/Notifier domain replication
6.5.2. Domain joins of UCS systems
6.5.3. Backup2Master
6.6. Univention Management Console
6.6.1. Univention Management Console web interface
6.6.2. Univention Management Console server
6.6.3. Univention App Center
6.6.4. Univention Management Console / Univention Directory Manager modules
6.6.5. Basic settings / Appliance mode
6.6.6. Users module
6.6.7. Groups module
6.6.8. Extended attributes
6.6.9. License module
6.6.10. System services module
6.6.11. Domain join module
6.6.12. Online update module
6.6.13. Computers module
6.6.14. Shares module
6.6.15. DNS module
6.6.16. Policies
6.6.17. DHCP module
6.6.18. Printers module
6.6.19. Univention Configuration Registry module
6.6.20. LDAP directory browser
6.6.21. Other modules
6.6.22. Univention Directory Manager command line interface and related tools
6.6.23. Development of modules for Univention Management Console
6.7. Software deployment
6.7.1. Repository handling
6.7.2. Software deployment command line tools
6.7.3. Software monitor (univention-pkgdb)
6.8. Univention Library
6.9. System services
6.9.1. DHCP
6.9.2. DNS
6.9.3. Cyrus
6.9.4. Postfix
6.9.5. Spam/virus detection and countermeasures
6.9.6. Printing services
6.9.7. Kerberos
6.9.8. Proxy services
6.9.9. Apache
6.9.10. Nagios
6.9.11. SSL
6.9.12. NFS
6.9.13. PAM / Local group cache
6.9.14. Other services
6.10. Virtualisation
6.10.1. Univention Virtual Machine Manager
6.10.2. Xen
6.10.3. QEMU/kvm
6.11. Desktop packages
6.12. Services for Windows
6.12.1. Samba 3
6.12.2. Samba 4
6.12.3. Univention S4 Connector
6.12.4. Univention Active Directory Connector
6.13. UCS test framework
6.14. Other changes
6.15. ucslint

Kapitel 1. Release-Highlights

Mit Univention Corporate Server 3.2 steht das zweite Minor-Release für Univention Corporate Server (UCS) zur Verfügung. Es umfasst diverse Detailverbesserungen und Fehlerkorrekturen:

  • Die Bedienung der Univention Management Console wurde an vielen Stellen optimiert und vereinfacht, z.B. gibt es nun vereinfachte Assistenten zum Anlegen von Benutzern und interne Systembenutzer werden in der Grundeinstellung nicht mehr angezeigt. Die Univention Management Console bietet außerdem nun Single-Sign-On; mit einer Anmeldung kann auf verschiedene UMC-Instanzen zugegriffen werden.

  • SAML (Security Assertion Markup Language) ist ein XML-basierter Standard zum Austausch von Authentifizierungsinformationen, der u.a. Single-Sign-On über Domänengrenzen hinweg erlaubt. UCS stellt nun einen SAML Identity Provider bereit: Der externe Dienst (z.B. Salesforce) wird dabei über ein kryptografisches Zertifikat fest registriert und vertraut dann dem Identity Provider. Der Benutzer authentifiziert sich dann nur noch in UCS und kann den eingebundenen Dienst ohne erneute Authentifizierung nutzen.

  • Das Univention App Center wurde weiter ausgebaut und bietet weitergehende Integrationsmöglichkeiten für Drittanbieter (z.B. Relationen von Apps und optionale Bestellfunktionen von Apps aus dem App Center). Auch die Standard-UCS-Komponenten werden nur über das App Center verwaltet.

  • Samba 4 wurde auf Version 4.1 aktualisiert. SMB2 wird nun anstelle von CIFS als bevorzugtes Protokoll für Dateidienste eingesetzt. Der Univention S4 Connector wurde deutlich beschleunigt und die Synchronisation von Gruppen verbessert.

  • Bridges, Bondings und VLANs können nun auch in der Univention Management Console konfiguriert werden.

  • Die unterliegende Debian-Version wurde auf Version 6.0.8 aktualisiert; dies bringt zahlreiche Verbesserungen und Fehlerkorrekturen mit sich.

  • Der Linux-Kernel wurde auf 3.10.15 aktualisiert.

  • Die Verwaltung von Freigaben wurde vereinfacht. Für NFS-Freigaben wird nun auch NFSv4 unterstützt.

  • Die Proxy-Authentifizierung kann nun auch über Kerberos erfolgen.

Kapitel 2. Empfohlene Update-Reihenfolge für Umgebungen mit mehr als einem UCS-Server

In Umgebungen mit mehr als einem UCS-System muss die Update-Reihenfolge der UCS-Systeme beachtet werden:

Auf dem Domänencontroller Master wird die maßgebliche (authoritative) Version des LDAP-Verzeichnis-dienstes vorgehalten, die an alle übrigen LDAP-Server der UCS-Domäne repliziert wird. Da bei Release-Updates Veränderungen an den LDAP-Schemata auftreten können muss der Domänencontroller Master bei einem Release-Update immer als erstes System aktualisiert werden.

Generell ist es empfehlenswert alle UCS-Systeme möglichst in einem Wartungsfenster zu aktualisieren.

Kapitel 3. Vorbereitung des Updates

Es sollte geprüft werden, ob ausreichend Festplattenplatz verfügbar ist. Eine Standard-Installation benötigt min. 6 GB Speicherplatz. Das Update benötigt je nach Umfang der vorhanden Installation mindestens 1 GB weiteren Speicherplatz zum Herunterladen und Installieren der Pakete.

Für das Update sollte eine Anmeldung auf der Console mit dem Benutzer root durchgeführt und das Update dort gestartet werden. Alternativ kann das Update über die Univention Management Console durchgeführt werden.

Eine Remote-Aktualisierung über SSH wird nicht empfohlen, da dies beispielsweise bei Unterbrechung der Netzverbindung zum Abbruch des Update-Vorgangs und zu einer Beeinträchtigung des Systems führen kann. Sollte dennoch eine Aktualisierung über eine Netzverbindung durchgeführt werden, ist sicherzustellen, dass das Update bei Unterbrechung der Netzverbindung trotzdem weiterläuft. Hierfür können beispielsweise die Tools screen oder at eingesetzt werden, die auf allen Systemrollen installiert sind.

3.1. Aktualisierung installierter Applikationen aus dem Univention App CenterFeedback

Applikationen, die aus dem Univention App Center installiert wurden, müssen vor dem Update aktualisiert werden. Wird beispielsweise im Online-Update-Modul die Fehlermeldung Weitere Releaseupdates sind verfügbar, können jedoch nicht installiert werden, da die Komponente 'zarafa_20130228' noch nicht für neuere Releaseversionen bereitgestellt wurde angezeigt, muss die installierte Applikation (in diesem Fall Zarafa) im Univention App Center mit Aktualisieren aktualisiert werden, bevor das Release-Update initiiert werden kann.

3.2. Prüfung der BDB-Einstellungen bei Systemen mit Cyrus IMAP-Server (univention-mail-cyrus)Feedback

Ab UCS 3.2 wird von dem Paket univention-mail-cyrus ein neues Univention Configuration Registry-Template für die Konfigurationsdatei der Cyrus-BDB-Datenbank (/var/lib/cyrus/db/DB_CONFIG) ausgeliefert.

Die Default-Werte der UCR-Variablen für die Konfiguration der BDB-Datenbank sind:

  • mail/cyrus/bdb/dbconfig/set_lg_regionmax : "2097152"

  • mail/cyrus/bdb/dbconfig/set_cachesize : "0 2097152 1"

Eine bereits vorhandene Cyrus BDB-Konfiguration wird während des Update nach /var/lib/cyrus/db/DB_CONFIG.debian kopiert. Sollten die neuen Default-Werte nicht der alten, bereits vorhandenen Konfiguration entsprechen oder sind die verwendeten Optionen nicht in den neuen Default-Werten enthalten, sollten die entsprechenden Univention Configuration Registry-Variablen vor dem Update gesetzt werden, z.B.:

ucr set mail/cyrus/bdb/dbconfig/set_cachesize="0 4097152 1"
ucr set mail/cyrus/bdb/dbconfig/set_lg_regionmax="2097152"
ucr set mail/cyrus/bdb/dbconfig/set_lg_max="1048576"

3.3. Anpassungen am Univention Directory Listener-Modul für Cyrus-BenutzerFeedback

Das Listener Modul für die Verwaltung der Postfächer wurde überarbeitet. Postfächer werden nun nur noch angelegt, wenn das Attribut mailHomeServer am Benutzer gesetzt ist (in der UMC unter Erweiterte Einstellungen -> Mail Home Server ).

Ist die Univention Configuration Registry-Variable mail/cyrus/mailbox/delete auf dem Mailserver aktiviert und wird das Mail-Home-Server-Attribut vom Benutzerobjekt entfernt, wird dadurch das Postfach gelöscht.

3.4. Entfernte/nicht mehr unterstützte KomponentenFeedback

Einige Komponenten sind entfernt worden und werden mit UCS 3.2 nicht mehr ausgeliefert:

  • Das UMC-Modul VNC wurde entfernt. Für einen grafischen Remote-Login auf UCS-Server kann alternativ Xrdp aus dem Univention App Center installiert werden.

  • Das Paket univention-local-users (nur Bestandteil von unmaintained) wurde entfernt.

  • Das Installationsprogramm für das Flash-Plugin wird nicht mehr ausgeliefert.

Kapitel 4. Nachbereitung des Updates

Nach dem Update müssen die neuen oder aktualisierten Join-Skripte ausgeführt werden. Dies kann auf zwei Wegen erfolgen: Entweder über das UMC-Modul Domänenbeitritt oder durch Aufruf des Befehls univention-run-join-scripts als Benutzer root.

Anschließend sollte das UCS-System neu gestartet werden.

4.1. Migration auf GRUB 2Feedback

Bei einer Neuinstallation ab UCS 3.0 wird vom Univention Installer direkt GRUB 2 in den Bootsektor geschrieben.

Bei einem Update bleibt GRUB 1 im Master Boot Record (MBR) installiert. GRUB 2 richtet einen Eintrag "Chainload into GRUB" ein, der dann das eigentliche GRUB 2 lädt.

Eine Dokumentation, um auch auf aktualisierten Systemen GRUB 2 direkt in den MBR zu schreiben wird in der Univention Supportdatenbank bereitgestellt (http://sdb.univention.de/1218).

4.2. Migration von PostgreSQL 8.3 auf PostgreSQL 8.4Feedback

Ab UCS 3.0 wird neben PostgreSQL 8.3 auch PostgreSQL 8.4 angeboten. Bei Aktualisierungen von Systemen mit PostgreSQL 8.3 auf UCS 3.0 wird aber die installierte PostgreSQL Version beibehalten.

Das Update auf PostgreSQL 8.4 ist im SDB-Artikel http://sdb.univention.de/1220 beschrieben.

4.3. Update/Installation der Horde Groupware Webmail EditionFeedback

Ab UCS 3.2 wird die Horde Groupware Webmail Edition nicht mehr über das Paket univention-horde4 sondern über das Univention App Center bereitgestellt. Das Update von univention-horde4 auf bzw. die Neuinstallation von Horde 5.1.0 erfolgt über die Installation der App Horde Groupware Webmail Edition im Univention App Center.

4.4. Aktualisierung der unterstützen Protokolle für Samba-DateidiensteFeedback

In Versionen vor UCS 3.2 verwendete Samba zur Bereitstellung von Dateidiensten das CIFS-Protokoll. Bei Neuinstallationen ab UCS 3.2 wird standardmäßig der Nachfolger SMB2 aktiviert. Verwendet man einen Client, der SMB2 unterstützt (ab Windows Vista, also auch Windows 7/8), verbessert sich die Performance und die Skalierbarkeit.

Bei Updates von früheren UCS-Releases verwendet Samba weiterhin CIFS. Um die Verwendung von SMB2 nachträglich zu aktivieren muss auf allen Samba-Servern die Univention Configuration Registry-Variable samba/max/protocol auf SMB2 gesetzt werden und der/die Samba-Server neu gestartet werden.

4.5. Betrieb eines lokalen Repository-Servers / Preup / Postup-SkripteFeedback

Preup- und Postup-Skripte sind Skripte, die vor und nach Release-Updates aufgerufen werden (z.B. zur Nachbereitung des Updates, etwa die Deinstallation obsoleter Pakete). Ab UCS 3.2 werden diese Skripte kryptographisch signiert, um eine unerlaubte Modifikation zu verhindern. Beim Update und Spiegeln des Repositories werden diese Signaturen überprüft. Sind diese ungültig oder fehlen, so wird die Aktion abgebrochen.

Wird ein Repository-Server mit UCS 3.1-x betrieben, muß dieser auf UCS 3.2 aktualisiert werden, bevor weitere Systeme auf UCS 3.2-1 aktualisiert werden können.

Wenn ein Update des Repository-Servers nicht möglich ist, müssen die Signaturdateien manuell heruntergeladen werden:

LOCAL_DIR="/var/lib//univention-repository/mirror"
SERVER="http://updates.software-univention.de"
for release in 3.2-0 3.2-1; do
  for script in preup postup; do
    file="3.2/maintained/$release/all/$script.sh.gpg"
    wget -O "$LOCAL_DIR/$file" "$SERVER/$file"
  done
done

Alternativ kann die Prüfung der Signaturen auch deaktiviert werden, was ein Sicherheitsrisiko darstellen kann. Für dem Repository-Server kann dazu die Univention Configuration Registry-Variable repository/mirror/verify auf false gesetzt werden. Für das Update muß auf allen Systemen die Univention Configuration Registry-Variable repository/online/verify auf false gesetzt werden.

4.6. Nachträgliche Einrichtung der Synchronisation der Active Directory-GruppentypenFeedback

Bei Neuinstallationen ab UCS 3.2 werden bei Verwendung von Samba 4 die Gruppenmitgliedschaften zwischen dem Samba 4-Verzeichnisdienst und dem OpenLDAP-Verzeichnisdienst durch den Univention S4-Connector synchronisiert, d.h. jede Gruppe auf UCS-Seite ist einer Gruppe im Active Directory assoziiert.

Systeme, die mit UCS-Versionen vor 3.2 installiert wurden, können optional nachträglich umgestellt werden. Weitere Informationen finden sich unter http://sdb.univention.de/1237.

4.7. Migration von Anpassungen der UCS-StartseiteFeedback

Die UCS-Startseite konnte in früheren UCS-Versionen durch Univention Configuration Registry-Templates im Verzeichnis /etc/univention/templates/files/var/www/ucs-overview erweitert werden. Ab UCS 3.2 wird die Startseite durch Univention Configuration Registry-Variablen erweitert (ucs/web/overview/entries/*, weitere Informationen finden sich in den UCR-Variablenbeschreibungen). Eventuell bestehende Erweiterungen müssen daher manuell migriert werden.

Kapitel 5. Hinweise zum Einsatz einzelner Pakete

5.1. Erfassung von Nutzungsstatistiken bei Verwendung der Free-For-Personal-Use-VersionFeedback

Bei Verwendung der Free for personal use-Version von UCS (die in der Regel für Evaluationen von UCS herangezogen wird) werden anonyme Nutzungsstatistiken zur Verwendung der Univention Management Console erzeugt. Die aufgerufenen Module werden dabei von einer Instanz des Web-Traffic-Analyse-Tools Piwik protokolliert. Dies ermöglicht es Univention die Entwicklung der Univention Management Console besser auf das Kundeninteresse zuzuschneiden und Usability-Verbesserungen vorzunehmen.

Diese Protokollierung erfolgt nur bei Verwendung der Free-for-Personal-Use-Lizenz. Der Lizenzstatus kann durch einen Klick auf das Zahnrad-Symbol in der rechten, oberen Ecke der Univention Management Console und die Auswahl von Lizenzinformationen geprüft werden. Steht hier unter LDAP-Basis Free for personal use edition wird eine solche Version verwendet. Bei Einsatz einer regulären UCS-Lizenz erfolgt keine Nutzungsstatistik.

Die Protokollierung kann unabhängig von der verwendeten Lizenz durch Setzen der Univention Configuration Registry-Variable umc/web/piwik auf false deaktiviert werden.

5.2. UEFI-Installations-DVDFeedback

Ab UCS 3.1 steht für amd64 neben der Standard-Installations-DVD auch ein Medium mit Unterstützung für den Unified Extensible Firmware Interface-Standard (UEFI) bereit.

Auf Systemen, die nur einen UEFI-Start unterstützen, kann sie anstelle der Standard-DVD verwendet werden.

5.3. Umfang des Sicherheits-Supports von Webkit, Konqueror und QtWebKitFeedback

Webkit, Konqueror und QtWebkit werden in UCS im maintained-Zweig des Repositorys mitgeliefert, aber nicht durch Sicherheits-Updates unterstützt. Webkit wird vor allem für die Darstellung von HTML-Hilfeseiten u.ä. verwendet. Als Web-Browser sollte Firefox eingesetzt werden.

5.4. Empfohlene Browser für den Zugriff auf die Univention Management ConsoleFeedback

Univention Management Console verwendet für die Darstellung der Web-Oberfläche zahlreiche Javascript- und CSS-Funktionen. Cookies müssen im Browser zugelassen sein. Die folgenden Browser werden empfohlen:

  • Chrome ab Version 14

  • Firefox ab Version 10

  • Internet Explorer ab Version 9

  • Safari (auf dem iPad 2)

Auf älteren Browsern können Darstellungs- oder Performanceprobleme auftreten.

5.5. Einschränkungen im Samba 4-BetriebFeedback

Die aktuell vom Samba-Projekt veröffentlichten Versionen von Samba 4 unterliegen in der Weiterentwicklung noch stärkeren Änderungen als Samba 3. Einige Funktionalitäten stehen daher noch nicht vollständig zur Verfügung:

  • Microsoft Windows Domänencontroller dürfen aktuell nicht in eine Samba 4-Domäne gejoint werden.

  • Eine selektive Replikation ist mit Samba 4 nicht möglich, da diese durch Active Directory prinzipiell nicht unterstützt wird (in UCS@school basiert die selektive Replikation auf der Listener/Notifier-Replikation).

  • Samba 4 unterstützt aktuell keine Forest-Domänen.

  • Samba 4 unterstützt aktuell keine Vertrauensstellungen.

Weitere Hinweise finden sich in Kapitel 8 des UCS-Handbuchs [UCS-Handbuch].

5.6. Installation in VirtualBoxFeedback

Bei der Installation von UCS in der Virtualisierungslösung VirtualBox vor Version 4.2 kann folgender VirtualBox-Bug auftreten: Wenn von der Installations-DVD gebootet wird, bietet GRUB die Option Boot from first harddisk partition an. Wählt man diese Option aus, friert VirtualBox ein.

Als Workaround muß vor dem Neustart der UCS-VM entweder die Installations-DVD aus den Laufwerkseinstellungen der VirtualBox-VM entfernt werden oder beim Start der virtuellen Instanz F12 gedrückt werden und die Festplatte als Bootpartition ausgewählt werden.

5.7. Installation in Citrix XenServerFeedback

Bei der Installation von UCS in der Virtualisierungslösung Citrix XenServer 6.0 - 6.2 wird mit der standardmässig emulierten Cirrus-Grafikkarte das Grub-Menü des Univention Installers nicht angezeigt. Der Univention Installer kann durch Drücken der ENTER-Taste direkt gestartet werden; alternativ startet die Installation automatisch nach sechzig Sekunden. Der dann gestartete Univention Installer wird normal dargestellt.

Um Grub korrekt darzustellen, kann die von XenServer emulierte Grafikkarte umkonfiguriert werden. Dazu muss eine Anmeldung als Benutzer root auf dem XenServer-System folgen. Mit dem Befehl xe vm-list muss zuerst die UUID der virtuellen Maschine ermittelt werden. Mit dem folgenden Befehl wird dann die emulierte Grafikkarte auf VGA umkonfiguriert:

xe vm-param-set uuid=UUIDVM platform:vga=std

5.8. Migration einer Samba 3-Umgebung auf Samba 4Feedback

Es existieren zwei grundlegende Verfahren zur Migration von Samba 3 auf Samba 4:

  • Aufbau einer parallelen Samba 4-Domäne. Beide Domänen verwenden unterschiedliche NetBIOS-Namen und SIDs. Die Clients treten dann schrittweise der Samba 4-Domäne bei.

  • Migration aller Systeme innerhalb eines Wartungsfensters.

Beide Verfahren sind im Univention Wiki ausführlich dokumentiert: http://wiki.univention.de/index.php?title=Migration_from_Samba_3_to_Samba_4.

5.9. XenFeedback

Wenn der Xen Hypervisor benutzt wird und das Speicherlimit über die Univention Configuration Registry-Variable grub/xenhopt begrenzt wurde, sollte der Wert aktualisiert und um die ,max:-Angabe erweitert werden. Weitere Details finden sich unter http://wiki.univention.de/index.php?title=UVMM_Quickstart-3.1#Konfiguration_der_Dom0.

Kapitel 6. Changelog

Die Changelogs mit den detaillierten Änderungsinformationen werden nur in Englisch gepflegt. Aufgeführt sind die Änderung seit UCS 3.1-1:

6.1. GeneralFeedback

  • The codename for UCS 3.2 is Borgfeld (Bug 31686).
  • The welcome message is now shown through /etc/issue (Bug 31094).
  • All previous errata updates for UCS 3.1 have been integrated (Bug 31330).
  • The Debian point update 6.0.8 was incorporated. Among other changes it also fixes several security issues (Bug 31956):

6.2. Upgrade provisions (preup and postup scripts)Feedback

  • The consistency of the installed LDAP schema is now checked in preup.sh using slapschema (Bug 25674).

6.3. Univention InstallerFeedback

  • The input of non-ASCII characters in input fields has been disabled (Bug 24904).
  • Horde has been removed from the software selection. Horde is now available in the Univention App Center (Bug 31812).
  • The GRUB configuration of the installation DVD no longer loads the Cirrus graphics module. Instead, standard VGA is now used. In addition the colour depth has been set to 32 bits. This fixes display problems when installing in Citrix Xen Server (Bug 30978).
  • The Software RAID boot entry has been renamed to expert partitioning (Bug 24051).
  • Some obsolete code blocks have been removed (Bug 31825).
  • The DHCP query button in the network settings dialogue has been removed, instead the DHCP query is performed if DHCP is selected for an interface (Bug 31174).
  • The error message which is displayed if the hostname starts with digits has been clarified (Bug 29349).
  • The sort order in the language selection list has been fixed (Bug 24361).
  • The domain name and NetBIOS/Windows domain name syntax tests in the basic settings have been fixed (Bug 24888). The input field for the NetBIOS/Windows domain name is no longer displayed on systems which are not a master domain controller (Bug 24442).
  • Directories created during the installation have their permissions set to 0755 (Bug 29450).
  • The screen content is now correctly refreshed during installations running on Citrix Xen Center UCS (Bug 31051).
  • The second password field for entering the join password has been removed (Bug 31965). In addition an error message was improved (Bug 23903).
  • During the boot loader installation more device details are displayed. The installation device is automatically ignored (Bug 25046).
  • The installer now displays errors/warnings caused by the initial device scan and offers to format the problematic devices with an empty GPT (Bug 31899).
  • The automatic partitioning has been adapted. It still requires the erasure of all hard discs but as of UCS 3.2-0 the new auto partitioning layout will only use the first available harddisk. If installation profiles are used, the keyword auto_part only accepts the value yes from now on (Bug 31705). The partitioning module now also ensures that LVM signatures are removed by pvremove before pvcreate is called (Bug 31925).
  • The default size for the EFI system partition created by the automatic partitioning has been increased to 260 MiB due to limitations of FAT32 on 4k-sector harddrives (Bug 33179).
  • Several installation problems on UEFI systems have been fixed. Especially the GRUB error message "error: file not found." followed by a black screen or kernel traceback has been fixed (Bug 28672).
  • Various servics are now restarted at the end of the installation (Bug 33025).

6.3.1. Profile-based installationFeedback

  • The detection of the hostname (scan="hostname"), has been fixed (Bug 29469).
  • The Univention Configuration Registry variable descriptions in univention-net-installer have been revised (Bug 30948).
  • The package univention-net-installer-daemon has been added. It contains a daemon that accepts hostnames and removes the reinstallation flag for these systems. The host can be configured with installation_feedback_host and the port with installation_feedback_port (Bug 1156).

6.4. Basic system servicesFeedback

6.4.1. Boot loaderFeedback

  • GRUB has been updated to version 2.00. If the update process can unambiguously determine the block device the GRUB bootmanager is installed on, GRUB will be updated from version 1.98 to 2.00 automatically. In all other cases the update of GRUB has to be done manually via the command grub-install <device> after the update has completed successfully. Alternatively if the GRUB device is known in advance, the Univention Configuration Registry variable update/grub/boot may be set to the corresponding devicename (e.g. update/grub/boot=/dev/sda) (Bug 28191, Bug 32634, Bug 33125).
  • The Univention Configuration Registry variable descriptions in univention-grub and univention-bootsplash have been revised (Bug 30943).
  • Prior to UCS 3.2 a terminal resolution of 800x600 pixels with a colour depth of 16 bits has been used as default (grub/vga=788). During the update to UCS 3.2 the color depth switches from 16 to 24 bits (grub/vga=789) if the default settings are still set. The old state may be regained by setting the Univention Configuration Registry variable grub/vga=788. To prevent this change during the update, set the Univention Configuration Registry variable update32/grub/changecolordepth=no prior to the update (Bug 32634).
  • The background images of GRUB (uniboot.png and uniboot.xpm.gz) are now stored in /usr/share/univention-grub/ and will be copied to /boot/grub/ during package updates (Bug 33123).

6.4.2. Linux kernel and firmware packagesFeedback

  • The Linux kernel was updated to 3.10.15 (Bug 31701, Bug 32203). This update also resolves occasional kernel traces when operating a UCS installation in Amazon EC2 (Bug 30369). The firmware packages have been updated to current versions as well. In addition various packages have been updated to ensure compatibility of their DKMS out-of-tree kernel modules with Linux 3.10: openafs, xtables-addons, open-vm-tools, iscsitarget, virtualbox and ndiswrapper.
  • Provide a modprobe configuration file for vmwgfx (the DRM driver for VMware) to enable fbdev support. Otherwise startup freezes in bootsplash and on the command line occur when installed in VMware ESXi (Bug 32536).
  • The kernel meta packages now enable the Univention Configuration Registry variable update/reboot/required, which triggers a note to the user that the system requires a reboot to complete the update (Bug 24287). The kernel 2.6.32 transition packages have been removed (Bug 31593).
  • The Univention Configuration Registry variable kernel/blacklist can now be used to prevent kernel modules from being loaded. Multiple entries need to be separated by a semicolon. By default the nouveau module is now blacklisted since the kernel module from 3.10 is incompatible with the Xorg userland (Bug 19892).
  • The kernel inotify parameters can now be controlled by Univention Configuration Registry variables (Bug 32327). The default values have been increased to improve support of large environments. The following Univention Configuration Registry variables are available:

    • kernel/fs/inotify/max_user_instances (default: 512)
    • kernel/fs/inotify/max_user_watches (default: 32768)
    • kernel/fs/inotify/max_queued_events (default: 16384)
    If these parameters have been manually defined in a local file below /etc/sysctl.d/ the file should be removed and the configured values transfered to the respective Univention Configuration Registry variables.
  • The Univention Configuration Registry variable descriptions in univention-initrd have been revised (Bug 30943).

6.4.3. Univention Configuration RegistryFeedback

  • The process handling has been improved to prevent issues with processing signals during system calls (Bug 31140).
  • The Univention Configuration Registry layers were processed in the wrong order when using the 'search' subcommand. Now all commands consistently return the value from the layer with the highest priority, which are 'force', 'schedule', 'ldap' and 'normal' (Bug 29632). The C library - used by e.g. Univention Directory Listener - now considers all layers (Bug 29964).
  • Changes are now first written to a temporary file first and the file moved in a second step, otherwise the file might be not completely written if a variable is read (Bug 31725, Bug 31853).
  • A new function was added to the Python API to set and unset Univention Configuration Registry variables atomically through a dictionary (Bug 32544).

6.4.4. Network interface configurationFeedback

  • The Univention Configuration Registry variable descriptions in univention-network-manager have been revised (Bug 30943).
  • In the update from UCS-3.0 to UCS-3.1 the template for /etc/network/interfaces was converted from a single-file template into a multi-file template. To preserve user modifications the original file was moved to the new location. This breaks the network tools, since the generated file now contains two declarations for the loopback interface. This situation is now detected and the second declaration is commented out (Bug 32297).
  • During the update the automatic restart of the network is disabled by setting the Univention Configuration Registry variable interfaces/restart/auto to false (Bug 31844). In the past this has caused time-outs and re-connect problems. The previous value is restored after the package univention-base-files has been updated successfully.

6.4.5. Univention FirewallFeedback

  • The Univention Configuration Registry variable descriptions in univention-firewall have been revised (Bug 30943).

6.5. Domain servicesFeedback

6.5.1. OpenLDAPFeedback

  • OpenLDAP was updated to version 2.4.35 (Bug 31697, Bug 32438).
  • A segmentation fault in the LDAP server process in cases where non-UTF-8 passwords were used for LDAP bind against the {K5KEY} scheme has been fixed (Bug 31352).
  • The slapd init script now supports graceful-restart and graceful-stop, both asking the slapd kindly to stop and then waiting for 120 seconds before forcefully killing the process (Bug 31998). If slapd can not be started, slapschema is called to determine the cause and the output is displayed (Bug 23055). The temporary schema file is now properly removed (Bug 31989).
  • The Univention Configuration Registry variable ldap/server/port is now set to 7389 by default (Bug 26888).
  • The Univention Configuration Registry variable descriptions in univention-ldap, univention-directory-logger and univention-ldap-overlay-memberof have been revised (Bug 30946). The unused Univention Configuration Registry variable ldap/server/additional has been removed. ldap/server/addition can be used instead (Bug 24507).
  • univention-ldap-backup now creates a separate logfile during the backup process in /var/univention-backup/ (Bug 31997). A bug which could lead to truncated slapcat output was fixed (Bug 31170).

6.5.1.1. LDAP ACL changesFeedback

  • The package univention-admingrp-user-passwordreset has been updated to work with UCS 3.2 (Bug 25408). It now also supports the protection of groups through the Univention Configuration Registry variable ldap/acl/user/passwordreset/protected/gid. By default the group Domain Admins is protected (Bug 29710). The Univention Configuration Registry variable descriptions have been revised (Bug 30946).
  • LDAP ACLs with regular expressions have been made more efficient and robust (Bug 29421). The LDAP ACLs for computer objects have been tightened (Bug 31305).
  • A listener module for the replication of LDAP ACL extensions has been implemented (Bug 32393).

6.5.1.2. LDAP schema changesFeedback

  • New new schema extensions univention-object-metadata.schema, udm_extension.schema and univention-ldap-extension.schema (Bug 32391, Bug 32410).
  • The package for the App Center UMC module now ships a new LDAP schema extension univention-app.schema using the new mechanism implemented via Bug 32412.
  • The LDAP attribute univentionShareHost now supports the substring search (Bug 31208).
  • A listener module for the replication of LDAP schema extensions has been implemented (Bug 31801).
  • The Univention Configuration Registry variable descriptions in univention-legacy-kolab-schema have been revised (Bug 30946).

6.5.1.3. Listener/Notifier domain replicationFeedback

  • The password used by the listener to access the LDAP directory is no longer shown in the logfile (Bug 31053).
  • The failed LDIF mode of the replication now handles empty values correctly (Bug 25579).
  • The Univention Configuration Registry variable descriptions in univention-directory-listener and univention-directory-listener have been revised (Bug 30946).

6.5.2. Domain joins of UCS systemsFeedback

  • The Univention Configuration Registry variable windows/domain is now set in univention-join to the value of windows/domain on the DC master (Bug 24442).
  • Several issues regarding handling long DNs and DNs containing non-alphanumeric characters in univention-run-join-scripts have been fixed (Bug 32005).
  • univention-server-join now adds /usr/sbin/ and /sbin/ to the shell PATH environment variable before importing the univention shell libs (Bug 31281).

6.5.3. Backup2MasterFeedback

  • univention-backup2master now also replaces the Univention Configuration Registry variable kerberos/kpasswdserver with the new masters's FQDN (Bug 31077).
  • univention-backup2master now cleans up Samba 4 related objects (Bug 27893).
  • univention-backup2master now transfers the Samba/AD FSMO roles before removing the old DC account from Samba4 (Bug 33382).

6.6. Univention Management ConsoleFeedback

6.6.1. Univention Management Console web interfaceFeedback

  • The design of UCS start site and the UMC header have been revised (Bug 31700, Bug 32610, Bug 33026).
  • The UMC overview page has been redesigned, and a search for modules has been added (Bugs 31699, 32022, 32023, 32048). The packages univention-nagios-server, univention-doc and univention-system-setup have been adapted to the new UMC overview page (Bug 32611).
  • The styling of buttons has been revised to improve the distinction between actions and links (Bug 32218).
  • The grid representation of result lists has been revised: action buttons have been merged into a tool bar above the grid to improve visibilty, entries can be selected by clicking on a row, an entry is opened directly when clicking on its name (Bug 26418, Bug 32751).
  • UMC modules can now display system notifications (Bugs 30004, 33333, 33389).
  • A welcome dialogue has been added when UMC is started for the first time (Bug 30811).
  • A single-sign-on feature has been implemented for Univention Management Console. The head line of UMC now provides a drop down for selecting other UCS systems. The UMC of the selected UCS system will be opened in a new browser window (Bugs 24422, 30744).
  • The Univention Configuration Registry variable descriptions in univention-management-console-frontend and univention-management-console have been revised (Bug 30946).
  • Added a button to easily send traceback information of unexpected errors to Univention (Bug 31056).
  • The robustness of the initial UMC module loading was improved (Bug 32140).
  • Inside the favorite category, favorites can no longer be removed (Bug 29555).
  • The username input field of the login dialog now remains disabled after a failed relogin (Bug 27989). Also problems were fixed after changing an expired password: Under some circumstances the username sent was wrong and the standby animation never stopped (Bug 31898).
  • The internal caching mechanism for list entries (e.g., DHCP/DNS entries and IP/MAC addresses for computers) has been improved as it could previously lead to inconsistencies in rare cases (Bug 31510).
  • Only the origin host without path is now logged in Piwik (Bug 30961). The cancellation of UDM object creations/modifications is now also logged in Piwik (Bug 31161).
  • The UMC session is now kept active during the dialogue for restarting the UMC server (Bug 31642).
  • Problems with standby overlay animations not covering the full underlying area have been corrected (Bug 31581).
  • Removed the label Default properties when searching in default properties. Instead nothing is shown and the page has more space for the results (Bug 32753).
  • Support for the following locales has been added: German (Austria), German (Switzerland), English (United Kingdom) (Bug 31377).
  • Only UDM properties that are part of the layout are transmitted to the UMC frontend now. Invisible property widgets led to problems loading the detail page of UDM objects (Bug 32877).
  • The UMC page has been fixed for browsers without Javascript support (Bug 32820).
  • Attributes which are required, but not provided during creation of an object are now marked with a red "!" (Bug 25500).
  • The Create report action now applies to the selection instead of the whole search result. Therefore the button has been moved into the grid's more menu (Bug 32749).

6.6.2. Univention Management Console serverFeedback

  • Error situations that caused the server and/or modules to exit are now logged (Bug 31130).
  • The UMC ACL evaluation has been simplified, resulting in improved login performance (Bug 28059, Bug 32747). The host matching with wildcards in UMC ACLs has been re-enabled. (Bug 32850).
  • Meta information of modules are now reloaded on every successful login (Bug 32299).
  • A typo in the command line tool umc-get was fixed (Bug 30605).
  • Some redundant log messages have been removed (Bug 29603).
  • Avoid problems when reloading UDM modules. This could cause the UMC Server to crash when UDM modules and UDM syntax definitions were out of sync (Bug 32565).
  • A problem which caused the UMC server to crash when setting an invalid locale has been corrected (Bug 28657).

6.6.3. Univention App CenterFeedback

  • Standard UCS components (such as Samba, KDE, Nagios, print server etc.) are now installed/removed through the new category UCS components (Bugs 32301, Bug 32308, Bug 32309, 32302, Bug 30982).
  • Fixed an issue when closing the App Center tab: The backend shut down the module when no further requests regarding the progress of an installation was sent. When this happened during installation the package database could become temporarily broken (Bug 30611).
  • If an application doesn't detect sufficient required memory, a warning is emitted (Bug 31856, Bug 31354, Bug 32117). The detection of free memory when running in OpenVZ containers was fixed (Bug 30659).
  • Applications now automatically register themselves in the UCS start site and the LDAP directory (Bug 32416, Bug 32609).
  • Prevent concurrent package operations in the same session (Bug 31382).
  • Applications which cannot be installed on the current system role are no longer displayed (Bug 32426).
  • The search bar now also searches for the long description of an app (Bug 32930).
  • The retrieval of available apps in the App Center was accelerated. A progress bar has been added (Bug 30798).
  • The details pages of apps have been improved (Bug 31891).
  • Apps can provide a link to a Univention Management Console module or a web interface (accessible with Open) (Bug 30759) and Shop button (Bug 32282).
  • Tests whether the user may continue are run after the "Install" (or "Upgrade" or "Uninstall") button is clicked. They are all run at once and for some failed tests solutions are offered (Bug 31737, Bug 30289, Bug 32163).
  • Made component registration in univention-add-app more robust (Bug 32398). A new option allows to install the latest version of the application (Bug 31157). Fixed app installation with --all and --master when pointing to an outdated version (Bug 31279).
  • The progress bar to display the installation progress was improved (Bug 31184).
  • Applications can now declare dependencies on other applications (Bug 30077, Bug 31055).
  • If an application is installed, the system does not dist-upgrade anymore. If the App is upgraded, the system still does a dist-upgrade but shows a warning that the dist-upgrade may include errata updates (Bug 31129, Bug 31278).
  • The INI file of an application may now contain HTML in the long description (Bug 31185). Additional information can be provided: INSTALL, POST_UPDATE, POST_INSTALL, UNINSTALL, POST_UNINSTALL (Bug 31803, Bug 32502).
  • The button to request a new license is shown even if the application cannot be installed (Bug 31166).
  • Under certain circumstances packages installed directly by the App Center could be marked as automatically installed and thus be autoremoved. This has been corrected (Bug 31155).
  • Fixed a segmentation fault that happened while upgrading an App under certain circumstances. Now the package manager always uses the latest package cache (Bug 31282).
  • The error messages in case of no available license have been improved (Bug 30629).
  • The session is now kept alive after having installed an app until confirmation (Bug 31886).
  • Fixed string formatting of one error message (Bug 32193).
  • Repository sources are now only commited once to improve update performance (Bug 31228).
  • Opening a second App Center module in UMC is now prevented and a traceback when opening the module has been corrected (Bug 31662).
  • Users can now suggest apps they are missing in the App Center (Bug 31625).
  • A new UDM module (appcenter/app) is provided for the registration of App metadata (Bug 32414).
  • The app errata repositories will be removed from UCR during the update (Bug 30904).

6.6.4. Univention Management Console / Univention Directory Manager modulesFeedback

  • The performance of the domain modules has been optimised (Bug 32978). The following syntax classes received lookup optimizations which result in faster object opening especially in larger environments: UserDN, UserID, GroupDN, GroupID, UCS_Server, DNS_ForwardZone, DNS_ReverseZone, WritableShare, DomainController, GroupName, UserName, nfsShare (Bug 30991, Bug 31560).
  • The Univention Configuration Registry variable descriptions in univention-directory-manager-modules and univention-management-console-module-udm have been revised (Bug 30946).
  • Opening certain LDAP objects takes very long (e.g. the PPD lists). Now widgets for attributes that may have multiple values do not block anymore while being built (Bug 31376).
  • Added a progress bar while moving objects. This will prevent a timeout when moving a lot of them at once (Bug 25465).
  • The internal default of multi value attributes has been changed to a more reasonable one (the empty list [] instead of a list containing the empty string ['']). This addresses several issues in the frontend, including a bogus empty user remaining in a group when removing all users was intended (Bug 29680).
  • Univention Directory Manager modules that support superordinates now respect the autosearch setting via UCR when changing the superordinate in the advanced search form (Bug 29498).
  • All syntax files and hooks files are now re-evaluated every time a new session is created. This prevents errors caused by referenced classes unknown during univention-management-console-server startup (Bug 31154).
  • The debug output is now explicitly flushed in order to prevent partial or missing lines in the log file (Bug 31421).
  • Various text changes have been made, translations have been adapted and added. Descriptions were added or made clearer (Bug 24727, Bug 29552, Bug 23691, Bug 24028, Bug 23698, Bug 23697, Bug 23695).
  • Newly added superordinates are now opened correctly on mouse click (Bug 25008).
  • A status message is now displayed after a license gas been imported from a file (Bug 29713).
  • Deprecated checks for some multivalue attributes have been removed (Bug 18929).
  • UDM modules now try to automatically reestablish the connection to the LDAP server in case of a connection error (Bug 32617).

6.6.5. Basic settings / Appliance modeFeedback

  • The Univention Configuration Registry variable apache2/startsite will now be set to correct values when reinstalling, uninstalling and updating univention-system-setup-boot (Bug 31385, Bug 31643).
  • The Univention Configuration Registry variable descriptions in univention-system-setup have been revised (Bug 30943).
  • Added error handling in case the download of required packages for univention-system-setup-boot failed. This could prevent a role switch when configuring the system in appliance setup (Bug 30896).
  • The software page has been removed. Software components are now managed in the Univention App Center. The software page is still available in the appliance setup (Bug 32471). The progress bar during (un)installation of software components was fixed (Bug 32148). Packages are now installed in the correct order (Bug 31960).
  • Firefox update notifications are now suppressed during appliance setup (Bug 30980).
  • The NetBIOS domain name is no longer queried (or displayed) on systems other than a master domain controller (Bug 24442). Fixed an infinite loop when validating the domain name and NetBIOS domain name (Bug 28574).
  • When changing the SSL certificate a dialogue is displayed to restart the server components (Bug 29480). When running in English, the SSL module now refers to the English version of the Univention Support Database article (Bug 30776).
  • The SSL input fields are now proposing values based on the default locale (Bug 29658). Umlauts in certificates are now imported and shown correctly (Bug 30722).
  • Added support to configure bridges, bondings and VLAN interfaces. This is blocked while the deprecated KVM and Xen script are still used, which normally setup a network bridge for virtualisation. See http://docs.univention.de/computers-3.2.html#uvmm for detailed instructions (Bug 30816, Bug 30878, Bug 33006). The code for basic IP configuration has been re-written in Python (Bug 28670).
  • The description of server roles has been unified (Bug 30773).
  • The setup scripts are now always processed in fixed order (Bug 29714).
  • When inserting invalid values, the invalid input field is now focused (Bug 31021).
  • A link to the UCS online documentation has been added to the network settings (Bug 29119). The redirection to the new Univention Management Console URL after IP address changes has been made more robust (Bug 29973).
  • A profile parsing function was fixed to not strip all double quotes from supplied values, which now allows to use quotes in passwords (Bug 32463).
  • The special handling for the Univention Software Monitor database has been removed (Bug 29783).

6.6.6. Users moduleFeedback

  • Spaces are no longer allowed in the username (this can be overwritten by setting the Univention Configuration Registry variable directory/manager/web/modules/users/user/properties/username/syntax to string) (Bug 19441).
  • The new extended attribute "objectFlag" has been added (Bug 31408).
  • Several internal users and groups are now hidden from the UMC modules, for example the AD pseudo groups like Authenticated Users or Everyone (Bug 32871, Bug 32750).
  • Passwords are now stored in the password history as salted password hashes plus the salt and the ID of the hashing algorithm (Bug 30981).
  • Forcing a user to change the password upon next login has been changed internally when using Samba. It has been adapted to newer versions of Samba and does not require PAM anymore (Bug 17890).
  • The attributes User ID, Group ID and GECOS have been removed from the advanced search as they are not searchable (Bug 28803).
  • An bug in the jpegPhoto syntax has been corrected which lead to invalid data getting stored in the LDAP with some photos (Bug 30342).
  • An optional simplified wizard for creating users has been added (Bug 23214).
  • The deprecated function set_uid_umlauts has been removed (Bug 28671).
  • If the mail option is enabled for a user, a password is no longer required (Bug 31868).
  • A traceback which occurred when creating a user with just the person option set has been corrected (Bug 24351).

6.6.7. Groups moduleFeedback

  • The options flag is now considered during group creation via UDM CLI (Bug 32853).
  • The new extended attribute "objectFlag" has been added (Bug 31408).
  • Several internal users and groups are now hidden from the UMC modules, for example the AD pseudo groups like Authenticated Users or Everyone (Bug 32871, Bug 32750).
  • It is now possible to set the AD group type for groups. The group type is synchronised to Samba 4 via the Univention S4 connector if the Univention Configuration Registry variable connector/s4/mapping/group/grouptype is set to true (Bug 32767).

6.6.8. Extended attributesFeedback

  • The descriptions of extended attribute properties have been improved and the layout of the module has been restructured (Bug 28629, Bug 27948).

6.6.9. License moduleFeedback

  • The dialogue for requesting a new license with a key ID has been moved from the App Center into the license dialogue (Bug 32389).
  • The license check now ignores temporary user objects (Bug 31167).
  • The license is now loaded and displayed in the UMC license info dialog even if the license is invalid or expired (Bug 31673).

6.6.10. System services moduleFeedback

6.6.11. Domain join moduleFeedback

  • After a rejoin a restart of the system can now be performed directly via a confirmation dialog (Bug 9927).

6.6.12. Online update moduleFeedback

  • The module now shows available application updates from the App Center. Updates are installed in the App Center module (Bug 30548).

6.6.13. Computers moduleFeedback

  • An optional simplified wizard for creating computers has been added (Bug 23214).
  • The new extended attribute "objectFlag" has been added (Bug 31408).
  • The module mapping for the inventory number was duplicated. This has been fixed (Bug 24102).
  • A traceback which occurred when renaming computer objects with a configured DNS reverse zone has been fixed. (Bug 31435).
  • The attribute FQDN has been removed from the advanced search as it is not searchable (Bug 28803).

6.6.14. Shares moduleFeedback

  • The layout, descriptions and attribute names in the UMC module have been improved (Bug 32882).
  • The Samba share option strict locking can now be set to 'Auto' (default), 'Yes' or 'No' (Bug 32882).
  • Custom NFS settings can now be configured for NFS shares (Bug 18708).
  • The setgid and sticky bit flags can now be set for the root directory of the share (Bug 15087). The permissions, owner and group will now only be set on new shares, or if the values have been modified (previously they were rewritten with every change to made to the share) (Bug 15087).

6.6.15. DNS moduleFeedback

  • A problem has been corrected which led to invalid PTR records when changing the DNS forward zone of a computer object, or to the loss of PTR records when changing it's DNS reverse zone (Bug 30905).
  • The representation of the DNS module was revised/simplified (Bug 32381).
  • DNS: Pointer objects are now called DNS: Pointer records to be consistent with the naming conventions of other DNS resource records in UDM modules (Bug 24661).
  • When appending name servers to DNS forward and DNS reverse zones, a trailing dot will be added to every entry if missing, not only the first one (Bug 29568).
  • A mapping which broke the representation of TXT records for DNS forward zones has been fixed (Bug 29681).
  • A traceback which occurred when removing the MAC address or network from a computer with a DHCP entry has been fixed (Bug 28945, Bug 29676).
  • The pointer record attribute of the DNS pointer module is now a multi value attribute (Bug 28667, Bug 31103).

6.6.16. PoliciesFeedback

  • The removal of user and group quotas in the print quota policy has been fixed (Bug 31703).
  • A sometimes erroneous evaluation of policies as shown in the detail view of UDM objects in UMC has been corrected (Bug 31916).
  • Widgets in the policy tab of an object now show an empty value if the attribute is not set (previously they showed the first of all the available choices) (Bug 31017).
  • A typo has been fixed in the display policy (Bug 21997).

6.6.17. DHCP moduleFeedback

  • The representation of the DHCP module was revised/simplified (Bug 32381).

6.6.18. Printers moduleFeedback

  • The selectable print servers are now limited to servers which are registered for the print server service (Bug 25216).

6.6.19. Univention Configuration Registry moduleFeedback

  • Reloading of UCR variables has been improved, and references to the external library pyinotify have been removed (Bug 31752).

6.6.20. LDAP directory browserFeedback

  • Moving and deleting the LDAP base is now prevented (Bug 24642).

6.6.21. Other modulesFeedback

  • The attribute Next IP in the network module has been removed from the advanced search as it is are not searchable (Bug 28803).
  • The Univention Configuration Registry variable descriptions in univention-directory-reports have been revised (Bug 30946).
  • The English and German texts of the System information module have been adapted (Bug 30797).
  • Support of ext4 partitions has been added to the filesystem quota module (Bug 24357). In addition a typo in the German localization has been fixed (Bug 28377).
  • The shutdown/reboot message in the Reboot module has been reworded and the button layout was improved (Bug 22831).
  • The use of eval() has been replaced with getattr() in several UMC modules (Bug 31523).
  • The VNC module has been removed (Bug 30158). As an alternative xrdp can be used for remote administration. It is available in the Univention App Center.
  • The regular expression search patterns have been tightened and unified in the UVMM and Printers modules (Bug 28260).

6.6.22. Univention Directory Manager command line interface and related toolsFeedback

  • The code of the command line programs has been cleaned up (Bug 30974).
  • The properties of the superordinate module are now ignored in the UDM modules while creating or modifying UDM objects on the command line (Bug 32671).
  • The enforcement of required multivalue attributes now also works when using the UDM CLI (Bug 31302).
  • A broken LDAP authentication in proof_dns_dhcp_records has been corrected (Bug 30903).
  • An error message regarding an existing directory has been corrected (Bug 29074).
  • An error in univention-dnsedit which occurred when trying to remove the last location from a SRV record has been corrected. When removing the last location, the whole SRV record will be removed now (Bug 32592).

6.6.23. Development of modules for Univention Management ConsoleFeedback

  • Listener modules for the replication of UDM syntax extensions, UDM hook extensions and UDM module extensions have been implemented (Bug 32402, Bug 32405, Bug 32408).
  • The horizontal alignment of some widget classes was fixed (Bug 25389).
  • Some CSS adaptations have been made (Bug 32318).
  • In umc/widgets/Grid:actions a specific tooltip class can now be defined for actions (Bug 31308).
  • The package univention-demo-configuration has been updated in order to allow two new UMCP commands. The former package version led to an error message when opening the Univention App center or the UMC online update module. This issue has been fixed (Bug 31567).
  • The validate function of the Form widget has been corrected. Previously, no exclamation mark has been displayed when a widget had an invalid value (Bug 31337).
  • A static array reference in umc/widgets/MultiSelect causing re-occurring entries in umc/widgets/MultiUploader has been corrected (Bug 31318).
  • A problem with scrollbars in the Dialog widget has been corrected (Bug 30796).
  • UMC login problems with the demo configuration package installed have been corrected (Bug 31091).
  • A problem in the Text widget has been corrected which caused to a 404 error (Bug 28810).
  • Fixed a regression in form validation with certain FormWidgets (Bug 30965).
  • Fixed the width of the ConfirmDialog in Firefox (Bug 30102).
  • The width of textarea fields has been fixed (Bug 30889).
  • The version of the JavaScript Dojo toolkit has been updated to 1.9 (Bug 31639).
  • A new UDM module settings/ldapschema has been implemented for registration and replication of LDAP schema extensions (Bug 32412).
  • A new UDM module settings/ldapacl has been implemented for registration and replication of LDAP ACL extensions (Bug 32411).
  • A new UDM module settings/udm_hook has been implemented for registration and replication of UDM hook extensions (Bug 32403).
  • A new UDM module settings/udm_syntax has been implemented for registration and replication of UDM syntax extensions (Bug 32406).
  • A new UDM module settings/udm_module has been implemented for registration and replication of UDM module extensions (Bug 32409).

6.7. Software deploymentFeedback

6.7.1. Repository handlingFeedback

  • If a local repository is created, instructions are provided to disable Secure Apt. This message has been simplified and corrected (Bug 24808).
  • A locally required and mirrored component from a separate repository in same cases blocked the update of the local repository. This has been changed to now always update the local repository as soon as a new release is available. The condition is still checked by each host individually (Bug 31060).
  • The pre- and post-updater scripts of locally mirrored, but disabled components are now also retrieved (Bug 30756).
  • On a local repository server a repository policy no longer sets the source server to itself (Bug 31426).
  • When un-installing the package univention-debmirror the apache2 site /etc/apache2/sites-enabled/univention-repository will now be disabled (Bug 29262).
  • The Univention Configuration Registry variable descriptions in univention-updater have been revised (Bug 30943).
  • The updater scripts preup.sh and postup.sh are digitally signed from UCS version 3.2-0 onwards. Both updater and mirror will refuses to download them if they are not signed by any PGP key stored in trust-ring of apt-key. The verification can be disabled using the Univention Configuration Registry variable repository/online/verify and repository/mirror/verify (Bug 28045).

6.7.2. Software deployment command line toolsFeedback

  • The Univention Configuration Registry variable descriptions in univention-maintenance have been revised (Bug 30943).

6.7.3. Software monitor (univention-pkgdb)Feedback

  • The Software monitor module has been thoroughly revised (Bug 30967, Bug 29655, Bug 24360, Bug 24633, Bug 9706, Bug 28787, Bug 28804, Bug 29610).
  • The Univention Configuration Registry variable descriptions in univention-pkgdb have been revised (Bug 30948).
  • Unjoin scripts have been added to the packages univention-pkgdb, univention-management-console-module-pkgdb, and univention-pkgdb-tools. The unjoin scripts remove the service entry from the server object and the DNS service entry and undo the UMC module registration (Bug 32492).

6.8. Univention LibraryFeedback

  • The function call_joinscript() has been modified. The start and end of every executed join script will be displayed on console (Bug 29263).
  • The generation of internally used passwords (e.g. machine passwords) has been unified. Several packages now using a special function from shell-univention-lib respectively python-univention-lib to create such passwords. The length and complexity can be configured via the Univention Configuration Registry variable machine/password/length and machine/password/complexity (Bug 31281).
  • The functions getLDAPURIs and getLDAPServersCommaList have been added to the Python lib, which return all configured LDAP servers (Bug 19753).
  • Added UMCConnection to the Python lib, previously part of the App Center (Bug 31058, Bug 31908).
  • PackageManager now checks the installation status correctly (Bug 31261).
  • The Univention Configuration Registry variable descriptions in univention-lib have been revised (Bug 30943).
  • Two new functions ucs_registerLDAPExtension and ucs_unregisterLDAPExtension have been implemented (Bug 32392, Bug 26785, Bug 32643, Bug 32663).
  • Two functions comments were fixed (Bug 28714).
  • The function ucs_isServiceUnused now always searches in the LDAP directory of the DC master and uses proper LDAP bind credentials (Bug 32578).
  • Several functions of univention-ipcalc6 to compute DNS names have been moved to the new Python module univention.ipcalc (Bug 32931).
  • The function ucs_removeServiceFromHost was made idempotent and can now also be used when the service does not exist (Bug 33138).

6.9. System servicesFeedback

6.9.1. DHCPFeedback

  • The Univention Configuration Registry variable descriptions in univention-dhcp have been revised (Bug 30948).

6.9.2. DNSFeedback

  • The file containing the cached DNS zone is now also deleted upon zone deletion (Bug 16270).
  • The Univention Configuration Registry variable descriptions in univention-bind have been revised (Bug 30948).
  • Various bind config files are now created with the correct permissions, regardless of the umask settings (Bug 33157).

6.9.3. CyrusFeedback

  • The Univention Configuration Registry variable mail/cyrus/imap/duplicatesuppression (default: yes) has been added to univention-mail-cyrus. If set to yes, lmtpd will suppress delivery of a message to a mailbox if same message with the same message-id (or resent-message-id) has already been delivered to the mailbox (Bug 22429).
  • A new Univention Configuration Registry template /var/lib/cyrus/db/DB_CONFIG for the cyrus bdb configuration has been added. This template is registered to UCR variables with the prefix mail/cyrus/bdb/dbconfig/. All these variables, without the prefix, and the values are written to the DB_CONFIG file. Default settings for the DB_CONFIG file are:
    mail/cyrus/bdb/dbconfig/set_lg_regionmax="2097152"
    mail/cyrus/bdb/dbconfig/set_cachesize="0 2097152 1"
    (Bug 28464)
  • The listener module for the management of IMAP mailboxes has been revised. Only if the attribute mailHomeServer is set at a user object, the mailbox is created. If the mailHomeServer attribute is removed from a user object, the mailbox will be deleted (Bug 29605).
  • The Cyrus configuration now uses the LDAP servers configured through the Univention Configuration Registry variable ldap/server/addition too (Bug 19753).
  • The PAM module pam_univentionmailcyrus now supports multiple LDAP servers (Bug 19753).
  • The Univention Configuration Registry variable descriptions in univention-mail-cyrus and univention-mail-cyrus-murder have been revised (Bug 30945).
  • The Univention Configuration Registry variables mail/cyrus/ssl/cafile and mail/cyrus/ssl/capath have been added to configure the Cyrus CA certificates (Bug 28123).

6.9.4. PostfixFeedback

  • The new Univention Configuration Registry variable mail/postfix/smtpd/debug has been added to configure whether the smtpd should be started in debug mode (Bug 29593). The Univention Configuration Registry variables mail/postfix/ssl/cafile and mail/postfix/ssl/capath have been added to configure smtpd ca certificates (Bug 28124). The Univention Configuration Registry variable mail/postfix/smtpd/banner has been added to configure the the SMTP greeting banner (Bug 32444).
  • The Postfix configuration now also uses the LDAP servers configured through the Univention Configuration Registry variable ldap/server/addition (Bug 19753).
  • An unjoin script for univention-mail-server has been added (Bug 32454).
  • The Univention Configuration Registry variable descriptions in univention-mail-postfix have been revised (Bug 30945, Bug 24715).

6.9.5. Spam/virus detection and countermeasuresFeedback

  • The Postfix configuration is now reloaded after installation of univention-antivir-mail (Bug 17967).
  • The Univention Configuration Registry variable descriptions in univention-antivir-mail, univention-postgrey, and univention-spamassassin have been revised (Bug 30945, Bug 30900, Bug 31072).
  • The licensing information of the initial virus definitions shipped in univention-antivir-mail has been updated (Bug 31332).

6.9.6. Printing servicesFeedback

  • Always create a Samba printers configuration file and not only if client driver is activated, the Samba name is set or ACLs are defined (Bug 30432).
  • New configuration directive in the Univention Configuration Registry template of the CUPS configuration: ErrorPolicy can be set with the Univention Configuration Registry variable cups/errorpolicy. The change will be applied to all printers (Bug 28877). The SystemGroup parameter has changed. System groups are now separated by a blank character and not by a comma in cupsd.conf. The Univention Configuration Registry variable must remain a comma separated list though (Bug 28884).
  • The join script was fixed in setups with selective replication (e.g. UCS@school) (Bug 19101).
  • The output of univention-lpadmin now includes the output of lpadmin (Bug 17660).
  • Modified and improved checking for disabled printers in univention-check-printers (Bug 28558). Package dependencies to univention-printserver and bsd-mailx have been added (Bug 29123).
  • A join script has been added to univention-printquota to create the domain service PrintQuota (Bug 23884). Added a popup message in case of editing print quota without the service being present (Bug 29001).
  • Added support for denying client access based on IP addresses, configurable via Univention Configuration Registry variable cups/printmode/hosts/none. This functionality is needed for UCS@School (Bug 32055).
  • The Univention Configuration Registry variable descriptions in univention-printserver, univention-check-printers, univention-printclient, univention-check-printers and univention-printquota have been revised (Bug 30948, Bug 22544, Bug 30943).
  • When changing a printer, the file /etc/samba/printers.conf is refreshed directly (Bug 31764).
  • Unjoin scripts have been added to the packages univention-printserver and univention-printquoata. The unjoin scripts removes the service entry from the server object and the default Univention Configuration Registry variables (Bug 32452).
  • The property Use Windows client driver has been removed from the printer shares. During update the corresponding LDAP attribute will be removed on all printers hosted by the updated server, which in turn will remove the corresponding Samba option from the local printer share definitions. The Samba option is not required any longer because the print spool code has been updated in the new Samba version (Bug 31624, Bug 32669).

6.9.7. KerberosFeedback

  • Heimdal Kerberos has been updated to Version 1.6 (Bug 32195). Various packages have been rebuilt (Bug 32438). The package pam-krb5-migrate has been updated to 0.0.10-1 (Bug 32438).
  • The ownership of /usr/share/univention-heimdal/check_cracklib.py has been fixed (Bug 22926).
  • The Univention Configuration Registry variable descriptions in univention-heimdal have been revised (Bug 30943).
  • The process kpasswdd is now only started on the master domain controller (Bug #20167).

6.9.8. Proxy servicesFeedback

  • Proxy NEGOTIATE authentication support has been added to univention-squid. In this mode the authenticator squid_ldap_ntlm_auth is a negotiate wrapper for either Kerberos or NTLM over negotiate. The previous negotiate authenticator setting can be restored by setting the Univention Configuration Registry variable squid/krb5auth/tool to /usr/lib/squid3/squid_kerb_auth (Bug 31972).
  • Fixed a regression in group authentication if the Univention Configuration Registry variable squid/auth/allowed_groups was not set (Bug 30969).
  • When using NTLM authentication, it is now checked if the user account is locked or disabled (Bug 29492).
  • A problem in the NTLM authentication helper in interaction with Office 2013 has been fixed (Bug 32183).
  • The Univention Configuration Registry variable descriptions in univention-squid and univention-dansguardian have been revised (Bug 30948).
  • The package univention-squid-kerberos does not depend on univention-samba4 anymore. In addition, the join script 98univention-squid-samba4.inst now correctly saves its status when not in a Samba 4 environment (Bug 32011).
  • The join script of the package univention-squid-kerberos failed on Samba 3 DC slaves in a Samba 3/Samba 4 mixed environment. This bug has been fixed (Bug 32186).
  • An unjoin script has been added to the package univention-squid. The unjoin script removes the PROXY service from the server object and the default Univention Configuration Registry variables (Bug 32447).

6.9.9. ApacheFeedback

  • The Univention Configuration Registry variable descriptions in univention-apache have been revised (Bug 30948).
  • The package univention-apache now ships the file /var/www/ucs-overview/languages.json, which contains available server languages and can be controlled by Univention Configuration Registry variables ucs/server/languages/* (Bug 32677).
  • Univention Configuration Registry variable umc/server/languages/.* has been renamed to Univention Configuration Registry variable ucs/server/languages/.*, possible user defined variables will be adopted during package update (Bug 32678).

6.9.10. NagiosFeedback

  • The default value for the Univention Configuration Registry variable nagios/server/checkexternalcmd has been changed to yes (Bug 29839).
  • The Univention Configuration Registry variable descriptions in univention-nagios have been revised (Bug 30944).
  • The univention-nagios-server join script will append a NAGIOS service entry to the LDAP object of the host which is joining. Additionally, an unjoin script for univention-nagios-server has been added (Bug 32453).

6.9.11. SSLFeedback

  • The Univention Configuration Registry variable descriptions in univention-ssl have been revised (Bug 30943).

6.9.12. NFSFeedback

  • The start script for the NFS server has been synchronised with the upstream version to support newer Linux kernels and start all services needed for the PXE installer to work (Bug 32228).
  • The Univention Configuration Registry variable descriptions in univention-nfs have been revised (Bug 30948).
  • NFSv4 is now activated by default in UCS 3.2. Shares are accessible by clients depending on their capabilities. To disable NFSv4 support the Univention Configuration Registry variable nfs/nfsd/nfs4 can be set to false (Bug 21556).
  • The /etc/default/nfs-common option NEED_GSSD is now configurable with the UCRV nfs/common/gssd, which defaults to yes (Bug 21556).
  • The /etc/default/nfs-common option NEED_IDMAPD is now configurable with the UCRV nfs/common/idmapd, which defaults to yes (Bug 21556).

6.9.13. PAM / Local group cacheFeedback

  • The Univention Configuration Registry variable nssldap/nss_srv has been added to specify whether or not libnss-ldap is allowed to perform DNS SRV record lookups (Bug 30779).
  • The Univention Configuration Registry variable descriptions in univention-pam have been revised (Bug 30943).
  • Added a test in the postinst script of libnss-ldap to prevent the override of libnss-ldap.secret if it is a link (Bug 30779).
  • The tool ldap-group-to-file.py does now support postrun hooks located in /var/lib/ldap-group-to-file-hooks.d/. Thus scripts can be executed after changing the group memberships (Bug 32581).

6.9.14. Other servicesFeedback

  • Create empty PostgreSQL configuration files during package removal so that PostgreSQL can be reinstalled later (Bug 27786). The PostgreSQL configuration file /etc/postgresql/pam_ldap.conf now uses the univention Python lib to generate the LDAP URI (Bug 19753).
  • Restart PostgreSQL in the postinst script of univention-bacula (Bug 27786).
  • The rotation of machine passwords is performed in intervals of days configurable through the Univention Configuration Registry variable server/password/change. The date is now calculated relative to the date of the last password change instead of being relative to the start of the current year (Bug 31068).
  • The welcome message for SSH is now shown through motd. It is only displayed if the message from appliance mode isn't enabled. It can be disabled by setting the Univention Configuration Registry variable sshd/motd to false (Bug 31096). The new Univention Configuration Registry variable sshd/banner can be used to configure a banner display for SSH logins.
  • By default the MySQL server package does not set a password for the MySQL root user during a non-interactive installation. With this update the MySQL package sets a password and writes the password to /etc/mysql.secret. This file can be read by root. If a password is already set, nothing will be done (Bug 19354).
  • The performance of univention-mount-homedir was improved to reduce server load during concurrent logins. The logging was cleaned up (Bug 31256).

6.10. VirtualisationFeedback

6.10.1. Univention Virtual Machine ManagerFeedback

  • The context menu on the devices page of active VMs no longer disappears when the mouse is moved (Bug 29261).
  • The Univention Configuration Registry variable descriptions in univention-virtual-machine-manager-node and univention-virtual-machine-manager-daemon have been revised (Bug 30949).
  • Creating snapshots of suspended virtual machines is now prevented (Bug 23436). To fix the ordering of snapshots their creation time is now displayed in ISO 8601 format (Bug 29901).
  • Virtual machines can now be shutdown gracefully with 'ACPI power off' and 'Xen shutdown' (Bug 21397).
  • The code was cleaned up (Bug 30897, Bug 32091).
  • Various menu labels and translations have been updated (Bug 31947, Bug 22377).
  • The profile of a virtual machine can be selected in a drop-down box (Bug 24774).
  • Comments for a virtual machine can now be entered in a multi-line textbox (Bug 32044).
  • The values entered for the memory size and storage volumes is now validated in the frontend (Bug 27778).
  • The dialog for editing network interfaces now correctly starts with the current values. Multicast MAC addresses are now detected and rejected (Bug 30806).
  • New domains are now created on the selected virtualization server by default (Bug 24579).
  • The storage pool handling has been overhauled and now better supports different storage pools. Especially a bug has been fixed, which could result in deleting the wrong storage volume when multiple storage pools were used (Bug 32098). When creating a new storage volume, the available storage size is shown for each storage pool and a warning is printed if the size for a new storage volume exceeds the available size in the storage pool (Bug 19281).
  • Profiles for UCS 3.0 are no longer created. Instead profiles for UCS 3.2 are provided (Bug 32261).
  • An unjoin script has been added. The unjoin script removes the UVMM service from the server object and removes the default Univention Configuration Registry variables (Bug 32449).
  • The Java based VNC viewer has been replaced by noVNC, a JavaScript and HTML5 based VNC client (Bug 30540).

6.10.2. XenFeedback

  • The Xenstore TDB file is now correctly removed with every reboot (Bug 28309).
  • The Univention Configuration Registry variable descriptions in univention-xen have been revised (Bug 30949).
  • CD-ROM media changes is now also supported with Xen HVM domains (Bug 23394).
  • An obsolete dependency has been removed in univention-xen (Bug 31373).
  • An unjoin script has been added. It removes the Xen service from the server object and removes the default Univention Configuration Registry variables (Bug 32450).
  • The GPLPV drivers were updated to version 0.11.0-372 (Bug 29456).

6.10.3. QEMU/kvmFeedback

  • QEMU was upgraded to version 1.1.2+dfsg-6 (Bug 29849).
  • The VirtIO drivers were updated to version 0.1-65 (Bug 27717).
  • An unjoin script has been added to package. It removes the KVM service from the server object and removes the default Univention Configuration Registry variables (Bug 32448).

6.11. Desktop packagesFeedback

  • univention-x-core no longer depends on the package univention-gdm, but recommends it (Bug 31004).
  • The Univention Configuration Registry variable descriptions for univention-gdm, univention-kde, univention-mozilla-firefox, univention-ooffice2 and univention-x-core have been revised (Bug 30944).
  • The installation package for the Flash plugin (univention-flashplugin) was removed. The base desktop in UCS is provided for accessing the web-based management tools of UCS, for which Flash isn't needed. Existing plugins from a previous installation should be removed manually: /usr/lib/flashplugin-nonfree (Bug 31852).

6.12. Services for WindowsFeedback

6.12.1. Samba 3Feedback

  • The Samba packages have been updated to version 4.1.0. The file server component is provided by the package samba as usual (Bug 31698, Bug 32789).
  • Samba 3 now supports quota on XFS file systems (Bug 31210).
  • The Winbind init script did not ensure that the daemon actually got stopped. This could lead to a non-running Winbind daemon after the server password change. This issue has been fixed (Bug 31289).
  • The file /etc/samba/shares.conf is now updated directly after changing a share (Bug 29399).
  • The Univention Configuration Registry variable descriptions in univention-samba have been revised (Bug 30948, Bug 32049).
  • The Univention Configuration Registry variable windows/wins-server and Univention Configuration Registry variable windows/wins-support are now set in the Samba join script (Bug 31814, Bug 32745).
  • The Univention Configuration Registry variable samba/max_protocol has been renamed to Univention Configuration Registry variable samba/max/protocol (Bug 31921).
  • An unjoin script has been added to the package univention-samba. It removes the Samba 3 service from the server object and removes the default Samba UCR variables (Bug 32445).
  • New Samba 3 installations now uses SMB2 as the maximum supported SMB protocol. On updated systems NT1 is still used (Bug 32394).
  • The support for the ldap filter parameter has been removed (Bug 32223).

6.12.2. Samba 4Feedback

  • The Samba packages have been updated to version 4.1.0. The components providing Active Directory compatible domain services are now provided by the package samba-ad-dc. The file server component is provided by the package samba as usual (Bug 31698, Bug 33338).
  • The name server process is no longer restarted after each Samba 4 restart (Bug 30543).
  • The Univention Configuration Registry variables windows/wins-server and windows/wins-support are now initialised during the join (Bug 30813, Bug 32745).
  • Samba 4 now supports quota on XFS file systems (Bug 31234).
  • The Univention Configuration Registry variable descriptions in univention-samba4 have been revised (Bug 30948). The unused Univention Configuration Registry variables samba/client_use_spnego and Univention Configuration Registry variable samba/time_server have been removed (Bug 26389).
  • Joining into a new samba4/join/site without Samba 4 on the master domain controller now respects the chosen samba4/dc (Bug 30792).
  • The script sysvol-sync.py now preserves timestamps (Bug 30823).
  • The script sysvol-cleanup.py moved the policy definitions away. Now it considers only GPO paths (Bug 31186).
  • The periodic refresh of sysvol fACLs for the group Authenticated Users can now be disabled with the new Univention Configuration Registry variable samba4/sysvol/sync/setfacl/AU (Bug 31271, Bug 31275).
  • Samba 4 domain controllers are now added to the group Enterprise Domain Controllers by default during initial join (Bug 31437).
  • The listener module samba4-idmap now also works in case smb.conf includes files readable only for root (Bug 31538).
  • Fixed file permissions of /var/lib/samba/ntp_signd (Bug 31109).
  • To minimise the time where /etc/samba/shares.conf includes non-existing files, it is now updated directly after a share was added/removed or renamed (Bug 31800).
  • In case a Samba 4 service is detected in the domain during join, UCS LDAP servers now take care that they are not registered with port 7389 in the _ldap._tcp SRV DNS record. If such entries are already present, they will be removed automatically during the update (Bug 29462).
  • Support for the Univention Configuration Registry variable samba/max/protocol has been added (Bug 31145). New Samba 4 installations now uses SMB2 as the maximum supported SMB protocol. On updated systems NT1 is still used (Bug 32394).
  • Samba 4 domain controllers are now configured to use the local KDC (Bug 29291).
  • The configuration file /etc/krb5.conf will get committed from the updated UCR template on update (Bug 31306).
  • In some cases the sysvol ownership was not yet updated correctly after the installation or join of univention-samba4. This is now detected and fixed during updates and new installations (Bug 31640).
  • In some cases the join of a Samba domain controller results in a conflicted host account. To prevent this issue, the univention-samba4 join script waits until the host account was replicated to the S4 connector host through the DRS replication (Bug 32257).
  • An unjoin script has been added to the package univention-samba4. It removes the Samba 4 service from the server object and removes the default Samba UCR variables (Bug 32446).
  • During the update to UCS 3.2 the local Samba 4 DC is added to the group Enterprise Domain Controllers (Bug 31572).
  • The Samba 4 directory /var/lib/samba is now cleaned up during the rejoin of the system (Bug 32595).
  • The Samba 4 daemon will now be restarted during the server password rotation (Bug 32468).
  • A configuration for the default idmap config * has been added to the Samba 4 configuration. The new default can be overwritten via /etc/samba/local.conf (Bug 32376).
  • The default Samba 4 groups are now created in the Samba 4 join script or during the initial synchronisation of the S4 connector (Bug 32461).
  • A traceback has been fixed in the script purge_s4_computer.py, which could occur if a DC was removed from a Samba 4/AD site (Bug 30763).
  • The Sysvol synchronisation is now only started after the Samba 4 join scripts are finished (Bug 29662).
  • The default Samba 4 well known security principals are now created as groups in OpenLDAP to allocate a gidNumber for these principals (Bug 29000, Bug 33234).
  • Special groups (well known security principals) are now registerd in idmap.ldb as ID_TYPE_BOTH (Bug 33129).
  • Previously the Sysvol share was restricted to the group Authenticated Users. Now it is possible for users with the primary group Domain Admins to create and to modify GPOs (Bug 30999).
  • The default for the Univention Configuration Registry variable samba/max_open_files is now raised to 32786 (Bug 32221).
  • The script create_spn_account.sh now also sets the saltPrincipal attribute, ensuring compatibility with kinit (Bug 32291).
  • A missing shell include was fixed in setup-s4.sh (Bug 31106).
  • A couple of checks for the Univention Configuration Registry variable samba4/service/smb have been fixed (Bug 30968).
  • The obsolete script create_dns-host_spn.py has been removed (Bug 28371).

6.12.3. Univention S4 ConnectorFeedback

  • The attribute sambaMaxPwdAge can be set to -1 in OpenLDAP. This will now be mapped to 0 in Samba 4 since -1 is not allowed for the attribute maxPwdAge (Bug 29775).
  • The Univention Configuration Registry variable descriptions in univention-s4-connector have been revised (Bug 30948).
  • Logging of add and modify operations against the Samba 4 directory has been improved, especially in the case of a traceback (Bug 31133).
  • The displayName attribute definition has been moved from post_attributes to attributes in the user mapping definition. This increases the synchronisation performance (Bug 32323).
  • If the LDAP connection was closed, the connector now tries to re-open the LDAP connection automatically (Bug 32274).
  • To improve synchronisation performance the group mapping now uses setobjects instead of list objects (Bug 32276). Also, a separate SID compare function has been added which considers the SID coding in Samba 4. This increases the synchronisation performance, since the SID will only be set if it differs (Bug 32322).
  • Some internal operations have been optimized to prevent endless synchronisations in large environments (Bug 32213).
  • A cast from stringto longhas been added while synchronising time values (Bug 32329).
  • An unjoin script has been added to the package univention-s4-connector. It removes the S4 Connector service from the server object and removes the default S4 Connector UCR variables (Bug 32451).
  • The synchronisation of Samba 4 password change timestamps now correctly considers the local timezone variables (Bug 32227).
  • A server password change script has been added. The S4 connector will be restarted in case it uses the machine account (Bug 32529).
  • The S4 connector now considers the scenario that an object was moved to a position which is not replicated to this server. This is for example the case in UCS@school (Bug 32542).
  • The S4 connector no longer synchronises the password for Slave PDC DCs from Samba 4 to OpenLDAP. This prevents a synchronisation loop in some selective replication scenarios (Bug 32690).
  • The S4 connector does no longer synchronises rejected objects before the initialization phase is complete (Bug 32852).
  • The S4 connector can now synchronises the different group types (local, domain local, global and universal) if the Univention Configuration Registry variable connector/s4/mapping/group/grouptype is set to true. By default this is activated for new UCS 3.2 installations only. All other systems have to be migrated manually (Bug 32768, Bug 29486, Bug 33121).
  • The S4 connector now always logs the name of reject files, simplifying problem analysis (Bug 32262).
  • The univention-ad-takeover script now runs a consistency check on the samba database at the end of the takeover process (Bug 33339).

6.12.4. Univention Active Directory ConnectorFeedback

  • Additional hints are shown during the configuration wizard about possibilities to configure DNS resolution for the required fully qualified domain name of the Windows server (Bug 24903).
  • The download site has been integrated into the UCS Active Directory Connector UMC module (Bug 32698).
  • Improve internal escaping of values (Bug 31990).
  • The Univention Configuration Registry variable descriptions in univention-ad-connector have been revised (Bug 30948).
  • A join and an unjoin script have been added to the package univention-ad-connector. The join script adds the AD Connector service to the server object and the unjoin script removes the service (Bug 32455).
  • The AD connector can now synchronise the different group types (domain local, global and universal) if the Univention Configuration Registry variable connector/ad/mapping/group/grouptype is set to true. By default this is activated for new UCS 3.2 installations only. All other systems have to be migrated manually (Bug 32769).

6.13. UCS test frameworkFeedback

  • A test has been added to check if the Administrator user may execute univention-directory-manager users/user list --filter uid=Administrator (Bug 30116
  • A test case for univention-dnsedit has been added (Bug 31104).
  • A test case for the server password change has been added (Bug 31295).
  • The function user_create from the internal test framework now checks whether the mail domain exists or not. If the mail domain for the local domain does not exist the user is created without a mail address (Bug 31296).
  • The test case for validating that groupname LDAP locking objects are removed properly will not be executed on DC slaves anymore (Bug 11417).
  • ucs-test exited with a traceback if files without hash bang (like .png or .xml) have been found by ucs-test within the test script directories. To prevent the traceback, the existing check for known non-test files has been fixed and the list of known non-test file suffixes has been updated (Bug 32554).
  • The Univention Configuration Registry variables tests/domainadmin/account, tests/domainadmin/pwd and tests/domainadmin/pwdfile have been added. They can be used to configure which domain administrator credentials ucs-test should use when running tests (Bug 31250).
  • The connector tests have been reordered to avoid a connector restart for every test (Bug 31677).
  • The different return codes of ucs-test have been merged (Bug 31734).
  • New functions have been added to get a better support of non DC-master systems, for example udm-test or wait_for_replication. The existing test cases have been adapted (Bug 31687, Bug 31678, Bug 31679, Bug 31680, Bug 32025, Bug 32797).
  • The Winbind test has been improved to work more reliable on UCS memberservers in Samba 4 domains (Bug 31772
  • Now there is a test block samba-common for tests that are common to Samba versions 3 and 4. The robustness against DRS and rsync replication delays has been improved in some tests (Bug 28343, Bug 28348, Bug 29057, Bug 29058, Bug 29062).
  • The Samba3 join test has been removed (Bug 31835).
  • Samba 4 NTACL tests have been improved (Bug 29230).
  • The tests for Samba share permissions have been improved (Bug 29054).
  • The Samba test case for creating spn accounts has been improved (Bug 32778).
  • Under certain circumstances Samba 3.6.8 reports a timeout for the unix password sync during password changes. Since the password change is successful nonetheless, two test cases have been adjusted to tolerate this flaw (Bug 29052, Bug 29053, Bug 31794).
  • Several UDM test cases have been added (Bug 31652, Bug 31653, Bug 31654, Bug 31655, Bug 31656, Bug 31658, Bug 31657, Bug 31659, Bug 31661, Bug 31660).
  • The tools import_ldif_with_listener, import_ldif_without_listener and an example customer LDIF with 5000 users and other objects have been added to ucs-test-tools (Bug 29418).
  • A test has been added to check if an app was successfully installed (Bug 31793).
  • The LDAP tests to check replication have been improved (Bug 27662, Bug 29337, Bug 31721, Bug 31722, Bug 32537, Bug 32795).
  • ucs-test now uses ucslint (Bug 28699).
  • Some corner cases are now handled better in ucs-test (Bug 31795).
  • For it's duration, the test 16packages_default will disable the cron daemon (Bug 32006)
  • An improved test case for concurrent authenticated smbclient sessions is now available (Bug 26807, Bug 32715).
  • Improved test cases for Samba share and folder access permissions are now available (Bug 29056)
  • Performance test cases for large environments have been added to ucs-test (Bug 31695).
  • The package ucs-test-horde has been added. The test package creates users and tests the horde login (Bug 32230).
  • A Python wrapper for the UDM CLI has been added (Bug 30560).
  • Python child processes are started with unbuffered output by default (Bug 31819).
  • An internal ucs-test library for creating computer accounts now uses windows by default (Bug 32780).
  • The test case 44replication_binary has been modified in order to fulfill the requirements of the new UDM syntax for JPEG photos (Bug 32664).
  • The test case 00_base/47faillog_ssh-smb-krb has been disabled (Bug 19016).
  • A test for Samba printing has been added (Bug 29059).
  • The random_* functions from random.sh now encode timestamp information into the output to hopefully guarantee better uniqueness. Several unused and subtly broken functions have been removed (Bug 32793).
  • A test for the UMCP umc/object/policies command has been added (Bug 32271

6.14. Other changesFeedback

  • univention-user-quota has been rewritten in Python. It does now support share names with whitespaces (Bug 30636, Bug 31957).
  • ocfs2-tools was updated to version 1.6.4 (Bug 28979).
  • The Univention Configuration Registry variable descriptions in univention-base-files, univention-system-info, univention-fetchmail univention-server, univention-skel, univention-passwd-store and univention-quota have been revised (Bug 30943, Bug 30946, Bug 30945).
  • The drbd8 userland tools have been updated to version 8.4.3 (Bug 31321, Bug 32019).
  • The Univention Configuration Registry variable descriptions in univention-log-collector, univention-postgresql, univention-snmpd and univention-bacula have been revised (Bug 30948).
  • Shell escaping in univention-home-mounter has been fixed (Bug 19441).
  • Several spelling mistakes in various packages have been corrected (Bug 32662).
  • The following packages have been added to the maintained section of the software repository (Bug 31562, Bug 30888, Bug 31075, Bug 32175, Bug 32011, Bug 32196, Bug 32670, Bug 32693, Bug 32508): univention-squid-kerberos, libdbd-mysql, libjs-jquery, duplicity, librsync,libappconfig-perl, liblist-moreutils-perl,libparams-validate-perl, libdatetime-locale-perl, libclass-singleton-perl, libdatetime-timezone-perl,libdatetime-perl, libpg-perl,libemail-address-perl, librose-object-perl,libclass-factory-util-perl, libdatetime-format-strptime-perl,libdatetime-format-builder-perl,libdatetime-format-mysql-perl, libyaml-syck-perl,libdatetime-format-pg-perl, libsub-install-perl, libparams-util-perl, libdata-optlist-perl,libsub-exporter-perl, libsql-reservedwords-perl,librose-datetime-perl, libclone-pp-perl,libtime-clock-perl, librose-db-perl,libclone-perl, librose-db-object-perl,libappconfig-perl, libtemplate-perl,libxml-writer-perl, libyaml-perl,libclass-std-perl, libconfig-std-perl, libfcgi-perl, libjson-perl, libsub-name-perl,libclass-accessor-perl, libemail-date-format-perl,libemail-simple-perl, libemail-mime-contenttype-perl, libemail-mime-encodings-perl, libmime-types-perl,libemail-messageid-perl, libemail-mime-perl,libnet-smtp-ssl-perl, libnet-sslglue-perl, libscope-guard-perl, libdevel-globaldestruction-perl,libalgorithm-c3-perl, libclass-c3-perl,libmro-compat-perl, libtry-tiny-perl,libtask-weaken-perl, libpackage-stash-perl, libpackage-deprecationmanager-perl, libclass-mop-perl,libmoose-perl, libgetopt-long-descriptive-perl,libmoosex-getopt-perl, libhttp-server-simple-perl, libwww-mechanize-perl, libapp-nopaste-perl,libb-keywords-perl, libb-utils-perl,libdata-dump-streamer-perl, libdata-dumper-concise-perl,libfile-homedir-perl, libfile-next-perl,libpadwalker-perl, libdevel-caller-perl,libdevel-lexalias-perl, liblexical-persistence-perl,libmodule-refresh-perl, libmoosex-attributehelpers-perl, libmoosex-object-pluggable-perl, libvariable-magic-perl,libb-hooks-endofscope-perl, libsub-identify-perl,libnamespace-clean-perl, libio-string-perl, libppi-perl, libsys-sigaction-perl,libdevel-repl-perl, libtest-deep-perl,libclass-c3-xs-perl, libclass-xsaccessor-perl,libterm-readline-gnu-perl, libapache2-mod-fcgid,postgresql, php5-ldap, php-openid, lshw, p7zip-full, python-avahi, python-ldaptor, python-pyparsing, python-serial, python-sqlalchemy-ext, libconfig-file-perl, libapache2-mod-wsgi, python-docutils, python-pylons , python-tempita, python-weberror, python-webob, python-mako, python-nose, python-decorator, python-formencode, python-pastescript, python-pastedeploy, python-paste, python-beaker, python-webhelpers, python-routes, python-pygments, python-pyrad, python-netaddr, python-repoze.who, python-configobj, python-roman, python-webtest, python-markupsafe, python-setuptools, libjs-scriptaculous, libjs-prototype, php5-pgsql, php5-tidy, php5-xsl, apache2
  • Unjoin scripts have been added to univention-mail-horde (Bug 32899).
  • The package univention-local-users has been removed (Bug 29835).

6.15. ucslintFeedback

  • Several ucslint tests that are only used for Univention internal development have been separated into the package ucslint-univention (Bug 26183).