UCS 4.1-3 Release Notes

Release Notes für die Inbetriebnahme und Aktualisierung von Univention Corporate Server (UCS) 4.1-3


Inhaltsverzeichnis

1. Release-Highlights
2. Hinweise zum Update
2.1. Empfohlene Update-Reihenfolge
2.2. UCS-Installations-DVDs nur noch als 64-Bit-Variante
3. Vorbereitung des Updates
4. Nachbereitung des Updates
5. Hinweise zum Einsatz einzelner Pakete
5.1. Erfassung von Nutzungsstatistiken
5.2. Umfang des Sicherheits-Supports von WebKit, Konqueror und QtWebKit
5.3. Empfohlene Browser für den Zugriff auf Univention Management Console
6. Changelog
6.1. General
6.2. Basic system services
6.2.1. Univention Configuration Registry
6.3. Domain services
6.3.1. OpenLDAP
6.3.1.1. LDAP ACL changes
6.3.1.2. Listener/Notifier domain replication
6.4. Univention Management Console
6.4.1. Univention Management Console web interface
6.4.2. Univention Management Console server
6.4.3. Univention App Center
6.4.4. Univention Directory Manager UMC modules and command line interface
6.4.5. Modules for system settings / setup wizard
6.5. Software deployment
6.6. Univention base libraries
6.7. System services
6.7.1. SAML
6.7.2. SSL
6.7.3. Proxy services
6.7.4. PAM / Local group cache
6.8. Virtualization
6.8.1. Univention Virtual Machine Manager (UVMM)
6.9. Container Technologies
6.10. Services for Windows
6.10.1. Samba
6.10.2. Univention S4 Connector
6.10.3. Univention Active Directory Connection
6.11. Other changes

§Kapitel 1. Release-Highlights

Mit Univention Corporate Server 4.1-3 steht das dritte Point-Release für Univention Corporate Server (UCS) 4.1 zur Verfügung. Es umfasst diverse Detailverbesserungen und Fehlerkorrekturen. Die wichtigsten Änderungen im Überblick:

  • Diverse wichtige Sicherheitsupdates wurden in UCS 4.1-3 integriert, u.a. für libvirt, OpenSSL, QEMU und Samba. Weiter wurden Sicherheitsaktualisierungen in den Standard-LDAP-ACLs und dem UMC-Server integriert.

  • Das App Center wurde an vielen Stellen weiterentwickelt und es wurden mehr Möglichkeiten für die Migration der Apps zu Docker Apps implementiert.

  • Die Replikation von Verzeichnisdienstobjekten wurde für diverse Randsituationen weiter stabilisiert.

  • Der Domänenbeitritt von weiteren Samba-basierten Active Directory Domänencontrollern ist nun auch bei mehr als 100.000 Verzeichnisdienstobjekten möglich.

  • Die App Appliances wurden weiter ausgebaut, so ist es nun möglich für App Anbieter ein eigenes Branding zu definieren, als auch einen Fast-Demo-Modus zu aktivieren. Dadurch kann ein Tester sehr schnell mit vordefinierten Einstellungen eine App Appliance testen.

§Kapitel 2. Hinweise zum Update

Während der Aktualisierung kann es zu temporären Ausfällen von Diensten innerhalb der Domäne kommen. Aus diesem Grund sollte das Update innerhalb eines Wartungsfensters erfolgen. Grundsätzlich wird empfohlen, das Update zunächst in einer Testumgebung einzuspielen und zu testen. Die Testumgebung sollte dabei identisch zur Produktivumgebung sein. Je nach Systemgeschwindigkeit, Netzwerkanbindung und installierter Software kann das Update zwischen 20 Minuten und mehreren Stunden dauern.

§2.1. Empfohlene Update-Reihenfolge

In Umgebungen mit mehr als einem UCS-System muss die Update-Reihenfolge der UCS-Systeme beachtet werden:

Auf dem Domänencontroller Master wird die maßgebliche (authoritative) Version des LDAP-Verzeichnisdienstes vorgehalten, die an alle übrigen LDAP-Server der UCS-Domäne repliziert wird. Da bei Release-Updates Veränderungen an den LDAP-Schemata auftreten können, muss der Domänencontroller Master bei einem Release-Update immer als erstes System aktualisiert werden.

§2.2. UCS-Installations-DVDs nur noch als 64-Bit-Variante

UCS-Installations-DVDs werden ab UCS 4 nur noch für 64-Bit-Architekturen bereitgestellt. Vorhandene 32-Bit UCS 3 Systeme können weiterhin über das Online Repository oder über Update DVDs auf UCS 4 aktualisiert werden. Die 32-Bit-Architektur wird für die gesamte UCS 4 Maintenance noch unterstützt.

§Kapitel 3. Vorbereitung des Updates

Es sollte geprüft werden, ob ausreichend Festplattenplatz verfügbar ist. Eine Standard-Installation benötigt min. 6 GB Speicherplatz. Das Update benötigt je nach Umfang der vorhanden Installation ungefähr 2 GB weiteren Speicherplatz zum Herunterladen und Installieren der Pakete.

Für das Update sollte eine Anmeldung auf der lokalen Konsole des Systems mit dem Benutzer root durchgeführt und das Update dort gestartet werden. Alternativ kann das Update über Univention Management Console durchgeführt werden.

Eine Remote-Aktualisierung über SSH wird nicht empfohlen, da dies beispielsweise bei Unterbrechung der Netzverbindung zum Abbruch des Update-Vorgangs und zu einer Beeinträchtigung des Systems führen kann. Sollte dennoch eine Aktualisierung über eine Netzverbindung durchgeführt werden, ist sicherzustellen, dass das Update bei Unterbrechung der Netzverbindung trotzdem weiterläuft. Hierfür können beispielsweise die Tools screen oder at eingesetzt werden, die auf allen UCS Systemrollen installiert sind.

§Kapitel 4. Nachbereitung des Updates

Nach dem Update müssen die neuen oder aktualisierten Join-Skripte ausgeführt werden. Dies kann auf zwei Wegen erfolgen: Entweder über das UMC-Modul Domänenbeitritt oder durch Aufruf des Befehls univention-run-join-scripts als Benutzer root.

Anschließend muss das UCS-System neu gestartet werden.

§Kapitel 5. Hinweise zum Einsatz einzelner Pakete

§5.1. Erfassung von Nutzungsstatistiken

Bei Verwendung der UCS Core Edition (die in der Regel für Evaluationen von UCS herangezogen wird) werden anonyme Nutzungsstatistiken zur Verwendung von Univention Management Console erzeugt. Die aufgerufenen Module werden dabei von einer Instanz des Web-Traffic-Analyse-Tools Piwik protokolliert. Dies ermöglicht es Univention die Entwicklung von Univention Management Console besser auf das Kundeninteresse zuzuschneiden und Usability-Verbesserungen vorzunehmen.

Diese Protokollierung erfolgt nur bei Verwendung der UCS Core Edition. Der Lizenzstatus kann überprüft werden durch den Eintrag Lizenz -> Lizenzinformation des Benutzermenüs in der rechten, oberen Ecke von Univention Management Console. Steht hier unter Lizenztyp der Eintrag UCS Core Edition wird eine solche Edition verwendet. Bei Einsatz einer regulären UCS-Lizenz erfolgt keine Teilnahme an der Nutzungsstatistik.

Die Protokollierung kann unabhängig von der verwendeten Lizenz durch Setzen der Univention Configuration Registry-Variable umc/web/piwik auf false deaktiviert werden.

§5.2. Umfang des Sicherheits-Supports von WebKit, Konqueror und QtWebKit

WebKit, Konqueror und QtWebKit werden in UCS im maintained-Zweig des Repositorys mitgeliefert, aber nicht durch Sicherheits-Updates unterstützt. WebKit wird vor allem für die Darstellung von HTML-Hilfeseiten u.ä. verwendet. Als Web-Browser sollte Firefox eingesetzt werden.

§5.3. Empfohlene Browser für den Zugriff auf Univention Management Console

Univention Management Console verwendet für die Darstellung der Web-Oberfläche zahlreiche JavaScript- und CSS-Funktionen. Cookies müssen im Browser zugelassen sein. Die folgenden Browser werden empfohlen:

  • Chrome ab Version 37

  • Firefox ab Version 38

  • Internet Explorer ab Version 11

  • Safari und Safari Mobile ab Version 9

Auf älteren Browsern können Darstellungs- oder Performanceprobleme auftreten.

§Kapitel 6. Changelog

Die Changelogs mit den detaillierten Änderungsinformationen werden nur in Englisch gepflegt. Aufgeführt sind die Änderungen seit UCS 4.1-2:

§6.2. Basic system services

§6.2.1. Univention Configuration Registry

  • Setting an UCR variable with the conditional "?" operator didn't set the variable if it already existed in another scope. This is changed to only check the scope the variable is set in (Bug 40728).

§6.3. Domain services

§6.3.1. OpenLDAP

  • Starting the LDAP daemon on i686 systems with a MDB backend and a MDB maxsize of at least 2147483648 could potentially fail. The init script now triple checks the start (Bug 33993).

§6.3.1.1. LDAP ACL changes

  • Access to the UVMM object classes is now more restrictive (Bug 41723).
  • Regular users are prevented from changing their object class (Bug 41179).
  • Users can now only create objects with univentionAdminUserSettings object class underneath of cn=admin-settings (Bug 41180).
  • Various restrictions for Memberserver and Domaincontrollers have been added to the LDAP ACL (Bug 41715).

§6.3.1.2. Listener/Notifier domain replication

  • IPv6 support was added to get_notifier_id.py (Bug 39509).
  • The help messages for univention-directory-listener-ctrl have been improved. Also two new subcommand modules and status have been added (Bug 3490).
  • Some string and integer comparison bugs have been fixed (Bug 38696).
  • The Listener did not drop root privileges in all error cases. This issue has been fixed (Bug 34324).
  • Some old and no longer needed code has been removed to reduce the memory footprint (Bug 30227).
  • Some debug messages have been cleaned up (Bug 34738).
  • Some data structures are no longer allocated dynamically but put onto the stack to make the Listener more robust against memory allocation problems (Bug 34507).
  • A bug in handling the notifier ID has been fixed: If the Listener was restarted multiple times, the last processed transaction ID could be lost. This led to all transactions being skipped which happened in between (Bug 41261).
  • The locking has been improved to prevent multiple instances of the Listener running at the same time (Bug 22383).
  • The transaction log is now only written on systems where the Notifier is installed as well to prevent the hard disk from filling up (Bug 40600).
  • The code for flat-mode replication has been removed (Bug 30489).
  • The check for a full file system was inverted and has been fixed (Bug 28232).
  • LDAP objects having a multi-valued RDN attributes are now handled correctly during a rename and move (Bug 33594).
  • A traceback in failed LDIF mode has been fixed (Bug 41347).
  • The replication module now logs more information in case of an object class violation (Bug 31757).
  • The replication module no longer runs as the user root. The directory /var/lib/univention-directory-replication/ is now owned by the user listener. The failed.ldif files are now owned by the user listener and the LDAP connections are now made by the user listener (Bug 34324).

§6.4. Univention Management Console

§6.4.1. Univention Management Console web interface

  • UMC is now also usable in Chrome 51 (Bug 41224).
  • Show a warning message if browser cookies are disabled and ask the user to enable them (Bug 28665).
  • Make it possible to collect usage data from the system setup to make future improvements to the user experience even better (Bug 40551).

§6.4.2. Univention Management Console server

  • The Sanitizer base class now accepts a parameter allow_none to allow None values (Bug 41424).
  • A new DNSanitizer has been added, to validate LDAP distinguished names (Bug 41423).
  • A UMC server crash is now prevented in specific circumstances after login (Bug 41070).
  • A UMC server crash is now prevented for requests with malicious request data (Bug 41370).
  • The UMC client does not evaluate python code in its arguments anymore (Bug 41736).

§6.4.3. Univention App Center

  • When upgrading a regular App to a Docker App, the Apache proxy settings were not written correctly. This has been fixed (Bug 41178).
  • The German and English description about the sale of licenses and support in the Univention App Center has been aligned (Bug 40757).
  • Docker Apps did not register their web interface correctly in the UCS overview site. This has been fixed (Bug 40842).
  • When Docker Apps were updated, a new version of the shipped join script was not recognized. This has been fixed, the join script is now correctly installed and executed (Bug 41452).
  • The button on the App page which read Open module or Open Website has been relabeled to just Open (Bug 41227).
  • One could not uninstall Apps that other Apps required to be installed somewhere in the domain, even if this App was installed several times. This has been fixed (Bug 41217).
  • Minor code changes make other projects easier that rely on the App Center (Bug 41360, Bug 41770).
  • Uninstalling an App failed when the App was not properly registered before (Bug 41542).
  • Tests run before upgrading an App used the installed version, not the to-be-installed version (Bug 41532).
  • A function to detect a docker bridge network conflict has been added (Bug 41596).
  • The use of UDM handler objects has been optimized (Bug 41658).
  • Access to the object class univentionApp is now more restrictive (Bug 41724).
  • The App Center now displays a warning if a conflict between the systems network settings and the docker bridge network has been detected (Bug 40515).
  • When searching for Apps, the Vendor (and Maintainer) of the App is considered (Bug 41702).
  • Apps may now require a specific version to be already installed, before an upgrade is possible (Bug 33537).
  • When opening an App in the Gallery that is not yet installed, a notification is sent to Univention (Bug 41690).
  • When (un)installing an App, a notification is always sent to Univention. If the App does not say otherwise, this notification is anonymized (Bug 41691).
  • When a non Docker version of an App was installed, the upgrade to a Docker version is prohibited unless the App says it is safe to upgrade (Bug 41804).
  • The App Center sometimes installed the last-to-latest App version (Bug 41841).
  • Executing missing join scripts in a Docker Container is now supported (Bug 39551).

§6.4.4. Univention Directory Manager UMC modules and command line interface

  • Extended options are now also evaluated for user objects (Bug 41017).
  • The UDM command line tool now supports the use of --remove on single value attributes. Before --set attribute= had to be used (Bug 41172).
  • Some old code which handled custom attributes has been removed (Bug 41266).
  • The object class of extended options is now always added or removed to the object without the need to change an attribute (Bug 25240).
  • The extended attribute option to remove the object class if it is no longer needed has been re-enabled (Bug 41207).
  • The attribute sambaPwdLastSet is now set for computer objects while changing the password (Bug 41367).
  • Syntax classes based on UDM_Attribute with single value attributes has been fixed to correctly detect the possible field values (Bug 41290).
  • Extended options are now always evaluated when instantiating a UDM object (Bug 41580).
  • Special characters (such as +) are now correctly escaped when composing a DN for a newly created object (Bug 40041).
  • Some LDAP filters are now properly escaped (Bug 40129).
  • A man in the middle attack and a local root code execution vulnerability in the UDM CLI client has been fixed (Bug 40422).

§6.4.5. Modules for system settings / setup wizard

  • This update publishes some minor adjustments in the source code (Bug 40913).
  • The package phantomjs has been added. It is necessary for the new App appliances (Bug 40934).
  • Apps may now provide design information for branding UCS appliances (Bug 40826).
  • Apps may now provide more detailed information on the first steps to take after their initial installation/setup (Bug 38957).
  • App appliances may be configured to offer a fast setup mode with a pre-configured UCS domain (Bug 41622).
  • A new option for setting up a UCS system has been added which allows a fast instantiation for demo purposes. Some more aspects of the setup process have been improved w.r.t. reliability and speed (Bug 40046).
  • Some more corrections have been applied for the fast UCS instantiation (Bug 41283, Bug 41932).
  • A UCR variable for enabling/disabling the fast instantiation has been added (Bug 41622).
  • Problems with a hanging setup process when finishing have been corrected (Bug 40985).
  • The timeout for internal LDAP queries during changes of network configurations has been adjusted for the UCS setup process (Bug 40968).
  • The rendering of the welcome screen after booting a UCS system has been improved and OverlayFS log messages have been removed (Bug 41026).
  • Problems with a disabled repository after setup have been corrected (Bug 40710).
  • An error dialog has been corrected which eventually showed up during the setup process stating that no module would be available (Bug 40751).
  • A typo in the header for the initial setup of UCS on an Amazon EC2 instance has been corrected (Bug 40673).
  • Enable collection of usage data during the system setup to allow future improvements to the user experience (Bug 40551).
  • Regenerate the system UUID during the fast setup demo mode to ensure a unique system (Bug 41140).
  • Errors that occur during the system setup of UCS can now be sent as feedback to Univention by the user (Bug 40782).
  • Redirection problems for app appliances at the end of the setup wizard have been corrected (Bug 41793).
  • The AD connector is now automatically installed if UCS is joining an AD domain (Bug 37333).

§6.5. Software deployment

  • The command univention-add-app has been adapted to reflect changes in the App Center package (Bug 33537).
  • Clarified a confusing message when UCS release updates are blocked because of missing Apps or components (Bug 40458).
  • The Updater was adapted for UCS 4.1-3 (Bug 41895).

§6.6. Univention base libraries

  • The method get_schema() has been added to the class univention.uldap.access which returns LDAP schema information (Bug 41207).
  • A faulty policy type detection has been fixed that could lead to wrong results of univention_policy_result. This misbehavior affected the DHCP service and other services using univention_policy_result (Bug 41641).
  • The python ldap utilities are now used for splitting a DN's in univention.ulap (Bug 40129).
  • Handling of DN's has been improved (Bug 40041).
  • No modrdn operations are performed anymore if the DN didn't changed when modifying a object with uppercase letters in the attribute name of its RDN. This was a regression caused by UCS 4.1-2 errata 207 (Bug 41785).

§6.7. System services

§6.7.1. SAML

  • The SAML package is now handled in the translation process (Bug 41222).

§6.7.2. SSL

  • univention-certificate check now also checks the expiry date of the certificate (Bug 31369).
  • univention-certificate new now also accepts the -days parameter (Bug 39257).
  • univention-certificate now checks the UCS server role, as its full functionality is only available on the 'DC Master' (Bug 24094).
  • Changing the Univention Configuration Registry variable ssl/default/hashfunction and ssl/default/bits now takes immediate effect (Bug 40498).
  • During the initial CA creation 2.debian.pool.ntp.org is used in addition, which also contains IPv6 capable time servers (Bug 25285).
  • The certificate revocation list in now updated periodically. The intervals are configured through the Univention Configuration Registry variable ssl/crl/interval and ssl/crl/validity (Bug 35748).
  • The SSL extension example has been fixed to work with with non-bash-shells (Bug 39045).
  • Locking has been added to prevent parallel execution when managing certificates (Bug 35027).
  • Server certificates are no longer revoked and re-created when the LDAP host entry is only moved (Bug 41230).
  • The new Univention Configuration Registry variable ssl/ca/cipher can be used to chose the encryption mechanism for the private key of the root CA. The new default is aes256 (Bug 37621).
  • The new Univention Configuration Registry variable ssl/host/objectclass can be used to configure the LDAP object classes for which SSL certificates are automatically created (Bug 38903).
  • Some shell variable quoting problems have been fixed in the shell library for SSL handling (Bug 41917).

§6.7.3. Proxy services

  • The timeout for the SPN account samba search in the join script has been increased (and is now configurable via the Univention Configuration Registry variable squid/kerberos/join/timeout) (Bug 41443).

§6.7.4. PAM / Local group cache

  • The Name-Service-Switch (NSS) module extrausers is used to get user group information from LDAP. The implementation of getgrouplist() was not thread-safe, which caused (for example libvirtd) to crash on restart. Proper locking has been added (Bug 39775).

§6.8. Virtualization

§6.8.1. Univention Virtual Machine Manager (UVMM)

  • Allow creating snapshots of VMs with more than 4 GiB RAM which is supported with QEMU since version 1.1 (Bug 35581).
  • A default password for all VNC sessions can be configured through the new Univention Configuration Registry variable uvmm/kvm/vnc/password (Bug 41340).

§6.9. Container Technologies

  • The docker daemon options are now configurable via the Univention Configuration Registry variable docker/daemon/default/opts/$PARAM=$VALUE (Bug 40515).
  • The start of the docker daemon is aborted if a docker bridge network conflict has been detected (Bug 40515).
  • Use the docker bip setting for docker specific iptables rules (Bug 40515).
  • Workaround cron hard-link issue on OverlayFS (Bug 39677).
  • Executing missing join scripts in a Docker Container is now supported (Bug 39551).

§6.10. Services for Windows

§6.10.1. Samba

  • This update fixes regressions from Errata update 411 (Bug #40988) (Bug 41193).
  • The default RPC timeout has been increased from 60 to 480 seconds. Thus, a join with more than 100.000 objects will work (Bug 41021).
  • Reliability of samba_dnsupdate has been improved on UCS@school DC Slaves by using localhost for DNS related Kerberos operations. This fixes an intermittent error in the 98univention-samba4slavepdc-dns.inst joinscript (Bug 34908).
  • The restart command of the samba init wrapper script has been adjusted to avoid restarting samba-ad-dc after NMBD (Bug 41551).
  • The GetGroupsForUser SAMR RPC call has been adjusted to make use of the memberOf attribute (Bug 41644).
  • Two additional regression patches from the badlock update have been merged (Bug 41729).

§6.10.2. Univention S4 Connector

  • The mapping for msPrintConnectionPolicy has been fixed (Bug 41309)..
  • A restart of the Samba LDAP server during the initialization phase of the connector could lead to an endless loop in the the initialization. This issue has been fixed (Bug 41288).
  • Add support for overriding IPv4 and IPv6 addresses of specific DNS host records. Feature added for upcoming UCS@school release (Bug 41482).
  • Allow recreation of object deleted in Samba/AD if visible in OpenLDAP (Bug 41756).
  • Allow recreation of account deleted in Samba/AD if objectSid matches (Bug 41864).
  • When an object gets moved out of visibility for an UCS@school Samba/AD PDC Slave attributes passed to the S4-Connector were mixed up. This caused the next object modified to be marked internally as deleted by the S4-Connector, while it is perfectly healthy in fact. While this update fixes the issue, manual steps are be required to unmark the objects and restore normal sync (Bug 41884).

§6.10.3. Univention Active Directory Connection

  • A traceback due to empty proxyAddresses in AD during the synchronization has been fixed (Bug 41246).
  • Close the SAMR user connection during password sync to Active Directory (Bug 41247).

§6.11. Other changes

  • ucslint no longer warns about files processed by some debhelper scripts supporting the --name argument (Bug 41603).
  • ucslint now also accepts "${@}" for padding join credentials (Bug 34253).
  • ucslint warns when univention-ldapsearch -x is used (Bug 38853).
  • The boot splash has been extended to allow adjustments of its design (Bug 41821, Bug 39465).
  • The package univention-mysql has been added. It allows to configure arbitrary MySQL settings through UCR variables named mysql/config/$group/$option (Bug 39471, Bug 40216).
  • When installing a translation generated by this package, UCR variables concerning the locale are now set correctly (Bug 40917).
  • JavaScript files are now handled correctly on package generation (Bug 40936).
  • The translation process is simplified by requiring less steps (Bug 41223).