Table of Contents
With Univention Corporate Server 4.0-2, the second point release of Univention Corporate Server (UCS) 4.0 is now available. It provides various improvements and bugfixes. An overview of the most important changes:
The Free for personal Use licence was replaced by the UCS Core Edition license. This allows the usage of UCS in commercial settings without charge. The upgrade of the licence is described in SDB 1324. Further information on the UCS Core Edition is provided on https://www.univention.com/products/prices/.
The container virtualization Docker was added to UCS. This allows to run Docker containers on UCS systems. First Docker images of UCS itself are also available. Further information is provided on http://wiki.univention.de/index.php?title=Docker.
For creating Apps a separate tutorial is now available.
An App installed on a remote system is now automatically configured by running its join scripts.
Several enhancements and bugfixes in design and usability of the Univention Management Console were done.
A mode to install UCS systems unattended over the network was added.
The compatibility to Active Directory has been improved.
This allows Windows 2008 R2 Foundation Servers to join the domain as a member server.
In addition to that a problem regarding the resolution of SIDs with NetApp Storage Systems has been fixed.
The web server Apache and mail server Postfix now support several additional settings related to encryption and other security related options. In addition to that several old cryptographic algorithms have been disabled by default.
During the update some services in the domain may not be available, i.e. the update should occur in a maintenance window. It is recommended to test the update in a separate test environment prior to the actual update. The test environment should be identical to the production environment. Depending on the system performance, network connection and the installed software the update takes between 20 minutes and several hours.
In environments with more than one UCS system, the update order of the UCS systems must be borne in mind:
The authoritative version of the LDAP directory service is maintained on the master domain controller and replicated on all the remaining LDAP servers of the UCS domain. As changes to the LDAP schemes can occur during release updates, the master domain controller must always be the first system to be updated during a release update.
If applications have been installed from the Univention App Center, the update can only be performed once all installed applications are available in a compatible version. Some applications are updated to newer versions during the update. If an application is not yet available for UCS 4.0, the release date can be obtained from the application vendor.
Starting with UCS 4.0 UCS, installation DVDs are only provided for the x86 64 bit architecture (amd64). Existing 32 bit UCS 3 systems can still be updated to UCS 4.0 through the online repository or by using update DVDs. The 32 bit architecture will be supported over the entire UCS 4 maintenance.
It must be checked whether sufficient disk space is available. A standard installation requires a minimum of 6 GB of disk space. Depending on the scope of the existing installation, the update will require about another 2 GB of disk space for downloading and installing all packages.
For the update, a login should be performed on the system's local console as user root, and the update should be initiated there.
Alternatively, the update can be conducted using Univention Management Console.
Remote updating via SSH is not recommended as this may result in the update procedure being cancelled, e.g., if the network connection is interrupted.
In consequence, this can affect the system severely.
If updating should occur over a network connection nevertheless, it must be verified that the update continues despite disconnection from the network.
This can be done, e.g., using the tools screen and at. These tools are installed on all system roles by default.
Following the update, new or updated join scripts need to be executed.
This can be done in two ways:
Either using the UMC module or by running the command univention-run-join-scripts as user root.
Subsequently the UCS system needs to be restarted.
The profile-based UCS network installation is available with UCS 4.0-2. Further details are described in [ext-doc-inst].
Anonymous usage statistics on the use of Univention Management Console are collected when using the UCS Core Edition version of UCS (which is generally used for evaluating UCS). The modules opened are logged in an instance of the web traffic analysis tool Piwik. This makes it possible for Univention to tailor the development of Univention Management Console better to customer needs and carry out usability improvements.
This logging is only performed when the UCS Core Edition license is used. The license status can be verified via the menu entry of the user menu in the upper right corner of Univention Management Console. If is listed under , this version is in use. When a regular UCS license is used, no usage statistics are collected.
Independent of the license used, the statistics generation can be deactivated by setting the Univention Configuration Registry variable umc/web/piwik to false.
WebKit, Konqueror and QtWebKit are shipped in the maintained branch of the UCS repository, but not covered with security support. WebKit is primarily used for displaying HTML help pages etc. Firefox should be used as web browser.
Univention Management Console uses numerous JavaScript and CSS functions to display the web interface. Cookies need to be permitted in the browser. The following browsers are recommended:
Chrome as of version 33
Firefox as of version 24
Internet Explorer as of version 9
Safari and Safari Mobile as of version 7
Users with older browsers may experience display or performance problems.
Listed are the changes since UCS 4.0-1:
All security updates issued for UCS 4.0-1 are included:
ComplexInput widget (Bug 36539).
www.univention.de (Bug 37908).
localhost (Bug 37347).
umc/http/maxthreads (Bug 37851).
www.univention.de (Bug 37908).
PrinterURI syntax class (Bug 36711).
--policies option of UDM command line tool (Bug 21585).
ucr set directory/manager/web/modules/mail/domain/properties/name/syntax='string' (Bug 34552).
univention-license-check (Bug 38203).
sambadomain settings module (Bug 28331).
/var/log/univention/join.log (Bug 37489).
motd.setup before the system is fully configured (Bug 37129, Bug 38510).
system/setup/boot/fields/blacklist has been extended to disabling the selection of particular server roles (Bug 38116).
/var/log/univention/setup.log is now regularly flushed (Bug 38293).
setup-join.sh is called from the command line.
All output is logged to STDOUT/STDERR (Bug 38332).
05_role/10role has been speeded up.
It creates hard-links instead of copying packages into the dpkg cache (Bug 38393).
setup-join:
run-parts now prints filenames (Bug 38332).
univention-add-app now prevents the installation of apps on the wrong server role (Bug 32543).
univention-user-quota (Bug 36805).
univention-group-quota (Bug 37134).
mail/localmailboxsizelimit and mail/messagesizelimit have been updated as 0 does not implement unlimited as previously mentioned (Bug 38061).
Additional arguments for smtpd processes may now be added via Univention Configuration Registry variables.
The given arguments are automatically added to the configuration file /etc/postfix/master.cf.
The following UCR variable prefixes are currently supported:
mail/postfix/mastercf/options/smtp/...mail/postfix/mastercf/options/smtps/...main.cf framework have been done for defining a custom restriction rule set via Univention Configuration Registry variables for Postfix' smtps port (465).
There is currently no change in Postfix behaviour (Bug 38049).
mail/postfix/tls/client/exclude_ciphers and mail/postfix/smtpd/tls/exclude_ciphers and sets them by default to RC4, aNULL (Bug 38043).
mail/postfix/smtpd/tls/*protocols and mail/postfix/tls/client/*protocols (Bug 38044).
mail/postfix/smtpd/restrictions/sender/require_reverse_dns and mail/postfix/smtpd/restrictions/sender/require_forward-confirmed_reverse_dns for weaker and stricter reverse DNS checking respectively (Bug 38292).
/etc/machine.secret file for LDAP lookups in the join script (Bug 36861).
ldap/server/addition (Bug 37752).
ethX are now also added to the access control list (Bug 36623).
The configuration of the SSL/TLS support in Apache has been improved:
apache2/ssl/tlsv11 is set to true, Apache only accepts TLS 1.1 and TLS 1.2.
apache2/ssl/tlsv12 is set to true, Apache only accepts TLS 1.2.
apache2/ssl/compression.
apache2/ssl/ciphersuite.
apache2/ssl/honorcipherorder is set, the server choice of ciphers is used instead of the ciphers preferred by
the TLS client.
Please refer to the Univention Configuration Registry variable descriptions for additional details (Bug 35456).
ucs/web/overview/entries/*/*/port_http and .../port_httpslocale/keymap, which caused the join script to use en-us as default keyboard layout.
This has been fixed (Bug 37551).
Windows Server 2008 R2 Foundation member server license check failed in Samba/AD domains (Bug 37687).
[ext-doc-inst] Univention GmbH. 2014. Extended installation documentation. https://docs.software-univention.de/installation-4.0.html.