UCS 4.0-4 Release Notes

Release notes for the installation and update of Univention Corporate Server (UCS) 4.0-4

Table of Contents

1. Release highlights
2. Notes on the update
2.1. Recommended update order for environments with more than one UCS server
2.2. UCS installation DVDs only available for 64 bit
3. Preparation of update
4. Postprocessing of the update
5. Further notes on selected packages
5.1. Collection of usage statistics
5.2. Scope of security support for WebKit, Konqueror and QtWebKit
5.3. Recommended browsers for the access to Univention Management Console
6. Changelog
6.1. General
6.2. Basic system services
6.2.1. Boot Loader
6.3. Domain services
6.3.1. OpenLDAP Listener/Notifier domain replication
6.4. Univention Management Console
6.4.1. Univention Management Console web interface
6.4.2. Univention App Center
6.4.3. Univention Directory Manager UMC modules and command line interface
6.4.4. Basic settings / Appliance mode
6.4.5. Other modules
6.5. Software deployment
6.5.1. Software deployment command line tools
6.6. Univention base libraries
6.7. System services
6.7.1. Mail services
6.7.2. Spam/virus detection and countermeasures
6.7.3. SSL
6.7.4. Apache
6.7.5. PAM / Local group cache
6.7.6. RADIUS
6.8. Virtualization
6.8.1. Univention Virtual Machine Manager (UVMM)
6.9. Container Technologies
6.10. Services for Windows
6.10.1. Samba
6.10.2. Univention AD Takeover
6.10.3. Univention S4 Connector
6.11. Other changes

§Chapter 1. Release highlights

With Univention Corporate Server 4.0-4, the fourth point release of Univention Corporate Server (UCS) 4.0 is now available. It provides various improvements and bugfixes especially in the areas of Active Directory compatibility, and the UCS management system. All security updates released for UCS 4.0-3 are included in this update.

§Chapter 2. Notes on the update

During the update some services in the domain may not be available, i.e. the update should occur in a maintenance window. It is recommended to test the update in a separate test environment prior to the actual update. The test environment should be identical to the production environment. Depending on the system performance, network connection and the installed software the update takes between 20 minutes and several hours.

§2.1. Recommended update order for environments with more than one UCS server

In environments with more than one UCS system, the update order of the UCS systems must be borne in mind:

The authoritative version of the LDAP directory service is maintained on the master domain controller and replicated on all the remaining LDAP servers of the UCS domain. As changes to the LDAP schemes can occur during release updates, the master domain controller must always be the first system to be updated during a release update.

§2.2. UCS installation DVDs only available for 64 bit

Starting with UCS 4.0 UCS, installation DVDs are only provided for the x86 64 bit architecture (amd64). Existing 32 bit UCS 3 systems can still be updated to UCS 4.0 through the online repository or by using update DVDs. The 32 bit architecture will be supported over the entire UCS 4 maintenance.

§Chapter 3. Preparation of update

It must be checked whether sufficient disk space is available. A standard installation requires a minimum of 6 GB of disk space. Depending on the scope of the existing installation, the update will require about another 2 GB of disk space for downloading and installing all packages.

For the update, a login should be performed on the system's local console as user root, and the update should be initiated there. Alternatively, the update can be conducted using Univention Management Console.

Remote updating via SSH is not recommended as this may result in the update procedure being cancelled, e.g., if the network connection is interrupted. In consequence, this can affect the system severely. If updating should occur over a network connection nevertheless, it must be verified that the update continues despite disconnection from the network. This can be done, e.g., using the tools screen and at. These tools are installed on all system roles by default.

§Chapter 4. Postprocessing of the update

Following the update, new or updated join scripts need to be executed. This can be done in two ways: Either using the UMC module Domain join or by running the command univention-run-join-scripts as user root.

Subsequently the UCS system needs to be restarted.

§Chapter 5. Further notes on selected packages

§5.1. Collection of usage statistics

Anonymous usage statistics on the use of Univention Management Console are collected when using the UCS Core Edition version of UCS (which is generally used for evaluating UCS). The modules opened are logged in an instance of the web traffic analysis tool Piwik. This makes it possible for Univention to tailor the development of Univention Management Console better to customer needs and carry out usability improvements.

This logging is only performed when the UCS Core Edition license is used. The license status can be verified via the menu entry License -> License information of the user menu in the upper right corner of Univention Management Console. If UCS Core Edition is listed under License type, this version is in use. When a regular UCS license is used, no usage statistics are collected.

Independent of the license used, the statistics generation can be deactivated by setting the Univention Configuration Registry variable umc/web/piwik to false.

§5.2. Scope of security support for WebKit, Konqueror and QtWebKit

WebKit, Konqueror and QtWebKit are shipped in the maintained branch of the UCS repository, but not covered with security support. WebKit is primarily used for displaying HTML help pages etc. Firefox should be used as web browser.

§5.3. Recommended browsers for the access to Univention Management Console

Univention Management Console uses numerous JavaScript and CSS functions to display the web interface. Cookies need to be permitted in the browser. The following browsers are recommended:

  • Chrome as of version 33

  • Firefox as of version 24

  • Internet Explorer as of version 9

  • Safari and Safari Mobile as of version 7

Users with older browsers may experience display or performance problems.

§Chapter 6. Changelog

Listed are the changes since UCS 4.0-3:

§6.1. General

§6.2. Basic system services

§6.2.1. Boot Loader

  • A Secure Boot-signed version of GRUB has been added (Bug 39027).

§6.3. Domain services

§6.3.1. OpenLDAP

  • When using the MDB backend, the LDAP search erroneously returned the base object in some cases. This has been fixed (Bug 36343).
  • The confirmation prompt in non-interactive script univention-backup2master has been removed (Bug 38774).

§ Listener/Notifier domain replication

  • Any running Univention Directory Listener and Univention Directory Notifier are now forcefully terminated before the domain is joined (Bug 38756).
  • LDAP and Univention Directory Notifier connections now use the TCP keep-alive mechanism and timeouts consistently to detect stuck connections (Bug 34763).
  • A filter mechanism was added to the Univention Directory Listener to prevent certain objects from being stored to the local cache (Bug 38823).

§6.4. Univention Management Console

§6.4.1. Univention Management Console web interface

  • Some widgets are now filtering out values which are already selected and don't present them in a dialogue anymore (Bug 37799).
  • UMC modules with long descriptions might overlap the borders of the box in the Gallery. Now the text is cut at some point (Bug 39319).
  • It is now easier to find information for creating custom attributes (Bug 39234).
  • If a restart of the UMC components is required, the dialogue to ask for a page reload doesn't pop up (Bug 39578).

§6.4.2. Univention App Center

  • Support for UCR variable templates in App Center readme files has been added (Bug 38233).
  • The current App descriptions have been integrated into the App Center package (Bug 39316).

§6.4.3. Univention Directory Manager UMC modules and command line interface

  • The mapping of syntax classes to UMC widgets is now extendible via the UCR variable group directory/manager/web/widget/.*/ (Bug 39041).
  • In some cases LDAP operations against a broken LDAP connection were done which led to LDAP connection invalid error messages. In that case the operation is executed again with a new LDAP connection (Bug 38346).
  • The notification for successfully creating a user or computer now appears inside the wizard dialogue (Bug 38834).
  • Opening a user object is now faster (Bug 38190).
  • It is now easier to find information for creating custom attributes (Bug 39234).
  • In previous versions the user's display name has only been set automatically during user creation. When the first name or last name has been changed later on, the display name of the user has not been updated. Starting from this update, the display name is updated automatically upon change of first or last name if the display name contains still the default value that has been automatically created. If the display name has been altered manually and does not match the default value, no automatic update is performed (Bug 38385).
  • A user's display name will only be set automatically if first or last name were changed (Bug 39292).
  • In some cases the automatic update of the attribute displayName caused tracebacks in the S4 Connector. The UDM module users/user has been updated to fix this traceback (Bug 39409).
  • It is not possible any longer to create a user with a user ID (uidNumber) which already exists as group ID (gidNumber) (and vice versa) (Bug 38796).
  • DNS TXT records are now shown via the UMC DNS module (Bug 25356).
  • This update corrects problems with multi-edit operations as well as create and edit operations for UCS systems that have joined an existing AD domain (Bug 39779).

§6.4.4. Basic settings / Appliance mode

  • A timing issue in the univenton-system-activation package that could occur when uploading a license has been fixed (Bug 39159).
  • The e-mail validation is now done by the system activation wizard page (Bug 39153).
  • A link has been added to skip the first system activation wizard page so the user has the opportunity to upload an existing license directly (Bug 39154).
  • The App Center notification has been fixed in the system activation wizard (Bug 39395).
  • The welcome screen initscript will now detect running instances and it will not be started when the installer is running (Bug 39137).

§6.4.5. Other modules

  • An error has been fixed which could occur during querying the process list (Bug 39302).
  • A new diagnostic plugin has been added to check SSH connections to other UCS servers (Bug 38137).

§6.5. Software deployment

§6.5.1. Software deployment command line tools

  • The update scripts have been adjusted to UCS 4.0-4 (Bug 39711).
  • The command line tool univention-upgrade is now able to perform App updates (Bug 30417).

§6.6. Univention base libraries

  • Joining an UCS system into a subdomain of an Active Directory forest failed with a Python traceback because of an unexpected reply to an LDAP search request. This issue has been fixed (Bug 37626).

§6.7. System services

§6.7.1. Mail services

  • The long waiting for the DH parameter generation on the first install has been removed in the Dovecot package (Bug 38990).
  • DH parameters are not created at installation time any more. Pre-calculated DH parameters for 512 and 2048 bit are provided. A one time generation of DH parameters is scheduled for the next day (Bug 37459).
  • The default of the UCR variable mail/postfix/cron/recreate/dh/parameter is changed to not recreate the DH parameters every night. The cronjob of existing installations is not changed (Bug 37459).
  • The activation of mail/postfix/policy/listfilter led to the mail server rejecting all emails. This has been fixed (Bug 39093).
  • A configuration error prevented Postfix from sending emails if Dovecot was also installed. Postfix' SMTP client now always uses the Cyrus SASL implementation (Bug 39151).
  • A configuration error in the Dovecot PAM stack has been fixed that led to higher than usual time to authenticate against Postfix SMTP. In some cases Postfix' authentication timeout has been reached and resulted in authentication failure (Bug 39267).
  • The Dovecot server did not close its standard error file descriptor (Bug 39148).
  • The Dovecot logrotate configuration has been fixed (Bug 39130).
  • Dovecot now works internally with lowercase email addresses (Bug 39346).

§6.7.2. Spam/virus detection and countermeasures

  • AMaViS is now configured to use the default log template. Statistic tools like logwatch work better with it (Bug 38915).
  • The UCR variable mail/antivir/amavis/debug/level can be used to set AMaViS' log level (Bug 38915).

§6.7.3. SSL

  • Deleted SSL certificates are also deleted on DC backup servers (Bug 33870).

§6.7.4. Apache

  • HTTP Strict-Transport-Security (HSTS) can be enabled and configured through the UCR variables apache2/hsts, apache2/hsts/max-age, and apache2/hsts/includeSubDomains. See their description for more details (Bug 37637).

§6.7.5. PAM / Local group cache

  • The PAM script lock-user (automatic user lockouts) now sets the HOME environment variable before calling UDM to avoid problems with invalid HOME directories (Bug 39369).

§6.7.6. RADIUS

  • Key expansion for DES encryption has been fixed (Bug 38785).
  • File system permission of the DH file on UCS slave servers was fixed (Bug 38786).
  • Raise fault tolerance by trying all available LDAP servers (Bug 39039).

§6.8. Virtualization

§6.8.1. Univention Virtual Machine Manager (UVMM)

  • The VirtIO drivers for Windows have been updated to version 0.1.105 to fix a problem with broken driver signatures in Microsoft Windows 2012 server (Bug 38655).

§6.9. Container Technologies

  • Package upgrade will not fail anymore if docker daemon was not running (Bug 38549).
  • The docker server automatically starts when booting (Bug 38549).

§6.10. Services for Windows

§6.10.1. Samba

  • The Samba dlz_bind9 module didn't properly handle zone reloads. The next request after a zone reload triggered a segmentation fault. After that bind9 was automatically restarted via runit, so the crash went unnoticed in most cases. Now the zone reload has been fixed (Bug 39139).
  • Microsoft Windows 2008 R2 Foundation raised an error pop-up after join. This issue has been fixed previously but the fix was not part of the last Samba package version (Bug 39254).
  • NetApp filer NAS devices joined to a Samba/AD DC failed to lookup SIDs due to an issue in negotiating strong encryption for server authentication. This issue has been fixed previously but the fix was not part of the last Samba package version (Bug 39263).
  • Samba is now built with the embedded Heimdal code to avoid memory management issues with the external Heimdal libraries (Bug 39244).
  • The unattended Microsoft Windows sysprep join failed against Samba 4. This issue has been fixed (Bug 39079).
  • Under certain circumstances the Samba dlz_bind9 module crashed. This issue has been fixed (Bug 39362).
  • Error handling and logging has been improved in the SYSVOL sync script (Bug 38868).
  • A testparm error message about the UCS default for winbind separator has been relaxed to only issue a warning message (Bug 36581).
  • The ACL check in the SYSVOL sync script has been fixed (Bug 39511).

§6.10.2. Univention AD Takeover

  • The DNS zones DC=DomainDnsZones and DC=ForestDnsZones are synchronized now (Bug 34184).

§6.10.3. Univention S4 Connector

  • The DNS zones DC=DomainDNSZones and DC=ForestDNSZones are synchronized now, this is relevant in AD Takeover scenarios. For updated domains, this is not activated (Bug 34184).
  • The synchronization of SOA record changes back to UDM has been fixed (Bug 39040).
  • The package univention-ldb-modules has been rebuilt to match the new Samba version (Bug 39275).
  • The S4 Connector start failed if more than 1000 search results were returned by Samba 4 (Bug 39673).

§6.11. Other changes

  • Incorrect quotation marks have been removed from /etc/lsb-release (Bug 37725).
  • The list of supported message digest, encryption and key exchange algorithms allowed by the SSH daemon can now be configured through the new UCR variables sshd/MACs, sshd/Ciphers, and sshd/KexAlgorithms (Bug 38609).
  • The insecure SSH protocols rsa1 and dsa have been disabled. They can be re-enabled through the new UCR variables sshd/Protocol and sshd/HostKey (Bug 38709).
  • The handling of UCR variable sshd/banner has been fixed (Bug 39166).
  • The program univention-openssh-recreate-host-keys now re-creates all host key files supported by SSH (Bug 38710).
  • The number of bits used when re-creating new host keys can be overwritten through the UCR variables like sshd/HostKey/rsa (Bug 38711).
  • The package lockfile-progs has been moved to maintained, as univention-base-files depends on it (Bug 39357).
  • The programs ntpd and ntpdate won't collide with each other, when started in short succession (e.g. while booting) (Bug 39299).