With Univention Corporate Server 4.1-4, the fourth point release of Univention Corporate Server (UCS) 4.1 is now available. It provides various improvements and bugfixes. An overview of the most important changes:

The installation wizard and the UCS management system are now also available in French.
Samba has been updated to version 4.5.1. This includes various improvements, among other things the DRS replication, the Active Directory compatibility, the file services and the printer handling.
The Linux kernel has been updated to the latest stable version of the 4.1 long term kernel. This includes several security updates, improvements in the stability, as well as newer and updated drivers for a better hardware support.
Docker Apps can now use the database on the UCS system using a simple configuration setting, which simplifies the migration of Docker Apps.

§Chapter 2. Notes about the update

During the update some services in the domain may not be available temporarily, that is why the update should occur in a maintenance window. It is recommended to test the update in a separate test environment prior to the actual update. The test environment should be identical to the production environment. Depending on the system performance, network connection and the installed software the update will take between 20 minutes and several hours.

§2.1. Recommended update order for environments with more than one UCS server

In environments with more than one UCS system, the update order of the UCS systems must be borne in mind:

The authoritative version of the LDAP directory service is maintained on the master domain controller and replicated to all the remaining LDAP servers of the UCS domain. As changes to the LDAP schema can occur during release updates, the master domain controller must always be the first system to be updated during a release update.

§2.2. UCS installation DVD only available for 64 bit

Starting with UCS 4.0, installation DVD are only provided for the x86 64 bit architecture (amd64). Existing 32 bit UCS 3 systems can still be updated to UCS 4.0 through the online repository or by using update DVD. The 32 bit architecture will be supported over the entire UCS 4 maintenance period.

§Chapter 3. Preparation of update

It must be checked whether sufficient disk space is available. A standard installation requires a minimum of 6 GB of disk space. Depending on the scope of the existing installation, the update will require about another 2 GB of disk space for download and installation all packages.

For the update, a login should be performed on the system's local console as user root, and the update should be initiated there. Alternatively, the update can be conducted using Univention Management Console.

Remote updating via SSH is not recommended as this may result in the update procedure being canceled, e.g., if the network connection is interrupted. In consequence, this can affect the system severely. If updating should occur over a network connection nevertheless, it must be verified that the update continues in case of disconnection from the network. This can be achieved, e.g., using the tools screen and at. These tools are installed on all UCS system roles by default.

§Chapter 4. Postprocessing of the update

Following the update, new or updated join scripts need to be executed. This can be done in two ways: Either using the UMC module Domain join or by running the command univention-run-join-scripts as user root.

Subsequently the UCS system needs to be restarted.

§Chapter 5. Further notes on selected packages

§5.1. Collection of usage statistics

Anonymous usage statistics on the use of Univention Management Console are collected when using the UCS Core Edition (which is generally used for evaluating UCS). The modules opened are logged in an instance of the web traffic analysis tool Piwik. This makes it possible for Univention to tailor the development of Univention Management Console better to customer needs and carry out usability improvements.

This logging is only performed when the UCS Core Edition license is used. The license status can be verified via the menu entry License -> License information of the user menu in the upper right corner of Univention Management Console. If UCS Core Edition is listed under License type, this version is in use. When a regular UCS license is used, no usage statistics are collected.

Independent of the license used, the statistics generation can be deactivated by setting the Univention Configuration Registry variable umc/web/piwik to false.

§5.2. Scope of security support for WebKit, Konqueror and QtWebKit

WebKit, Konqueror and QtWebKit are shipped in the maintained branch of the UCS repository, but not covered by security support. WebKit is primarily used for displaying HTML help pages etc. Firefox should be used as web browser.

§5.3. Recommended browsers for the access to Univention Management Console

Univention Management Console uses numerous JavaScript and CSS functions to display the web interface. Cookies need to be permitted in the browser. The following browsers are recommended:

Chrome as of version 37
Firefox as of version 38
Internet Explorer as of version 11
Safari and Safari Mobile as of version 9

Users with older browsers may experience display or performance issues.

§Chapter 6. Changelog

Listed are the changes since UCS 4.1-3:

§6.1. General

All security updates issued for UCS 4.1-3 are included:

§6.2. Univention Installer

A French translation is now available. (Bug 42326, Bug 42327).

§6.3. Basic system services

§6.3.1. Linux kernel and firmware packages

The Linux kernel has been updated to 4.1.34 (Bug 41058, Bug 42727).

§6.3.2. Univention Configuration Registry

The program univention-check-templates now checks all files below /etc/univention/ for modifications (Bug 41735).

§6.4. Domain services

§6.4.1. OpenLDAP

The Univention Configuration Registry variable ldap/limits has been added to configure OpenLDAP server limits (Bug 34873).
The slapd backup cron job can now be disabled by setting the Univention Configuration Registry variable slapd/backup to false. The cron interval can be configured with the Univention Configuration Registry variable slapd/backup/cron (Bug 38679).
The ldap client parameters NETWORK_TIMEOUT, TIMEOUT and TIMELIMIT can now be configured with the Univention Configuration Registry variables ldap/client/network_timeout, ldap/client/timeout and ldap/client/timelimit (Bug 39307).
The index lines in the slapd.conf are now wrapped if the line is longer than 2048 characters (Bug 41648).
The Univention Configuration Registry variable ldap/index/quickmode has been added. If set to true, the LDAP re-index tool (ldap_setup_index) is started in quick mode (fewer integrity checks, improved indexing time) (Bug 41281).
The directory logger now handles logging of entries with missing LDAP operational attributes (Bug 25404).
The robustness of logging deleted entries has been fixed in the directory logger (Bug 34916).
The logging of binary values using base64 has been improved in the directory logger (Bug 34420).
The Univention Configuration Registry variable ldap/logging/dellogdir now has a description and the value of the Univention Configuration Registry variable ldap/logging is interpreted as a boolean (Bug 42665).

§6.4.1.1. Listener/Notifier domain replication

LDAP entries were not removed correctly, if they were moved to a location filtered by LDAP access control. In that case the Univention Directory Listener modules registered for those entries were not called or called twice (Bug 42029).
When objects were moved to a subtree protected by LDAP access control lists, the listener modules using modrdn='1' were only called once with the original command='r' to signal the first phase of the move operation. They were not called again for the second phase with command='a' as the Listener cache entry was already deleted during the first phase and the modules were no longer associated with that entry. The Listener now calls the modules with command='d' to signal a deletion (Bug 32685).
The Listener now checks the file system for enough free space and aborts, if too few is available. The default of 10 MiB can be changed through the new Univention Configuration Registry variable listener/freespace (Bug 42573).
The Listener now writes the state of each handler just after initialization (Bug 41842).
For each changed LDAP entry the distinguished name is now logged with debug level PROCESS (Bug 41960).
Several quoting problems in the init and runit scripts have been fixed (Bug 42328).
Build-hardening and more warnings have been enabled for the compiler. Error handling and logging have been improved (Bug 42701).
On 32 bit architectures calculating the remaining free space could result into an overflow error, which terminates the Listener. This has been fixed (Bug 42725).

§6.5. Univention Management Console

§6.5.1. Univention Management Console web interface

Wildcard and automatic substring searches are now configurable via Univention Configuration Registry (Bug 42388).
A French translation is now available. (Bug 41776, Bug 41773, Bug 42260).

§6.5.2. Univention Management Console server

The PAM unix configuration for password changes has been adjusted. New passwords are stored with SHA-512 instead of MD5. Changing empty passwords is not allowed anymore (Bug 42103).

§6.5.3. Univention App Center

The App Center can now create a database for an App if it wishes so. It is useful for Docker Apps as the database is created outside the container (Bug 40857).
The web interface links for Docker Apps without automatic Apache integration have been fixed (Bug 41626).
If needed, Docker Apps may now get read-only access to the Host's certificate (Bug 42016).
Some typos have been corrected in the App Center (Bug 42157).
The configuration for Docker Apps have been improved (Bug 42401).
Where appropriate, the App Center packages now depend on other App Center packages with explicit versions. This prevents errors in case one package failed to install (Bug 42362).
Apps may now specify packages that shall be installed depending on the server role of the system (Bug 42200).
The docker env file is now a Univention Configuration Registry template (Bug 42317).
When upgrading from a Non-Docker App to a Docker App, Join scripts of the Docker version are run last (Bug 42498).
Fixed automatically deleting files that Non-Docker Apps do not have in their App repository, but instead are installed as part of their packages (Bug 42485).
Database packages are marked as user installed when a Docker App has database integration (Bug 42488).
Fixed handling of App Settings for Docker Apps that do not use a UCS based container (Bug 42527).
If a Docker version of an App is released, but a Non-Docker version is installed, this version is not shown (and not installable) by default. If the App Center is used from a different system, an update is shown, though. This display issue has been fixed (Bug 42713).
The initialization of all Apps could result in a traceback for Apps with a certain version history. This issue has been fixed (Bug 41992).
A race condition could lead to data loss in the Univention Config Registry. This issue has been fixed (Bug 42619).

§6.5.4. Univention Directory Manager UMC modules and command line interface

Attribute names with ;binary suffix are now considered when sanitizing object classes (Bug 41824).
A regression has been fixed which caused that the value 0 was written to the LDAP entry for extended attributes with boolean syntax (Bug 41829).
The ldap modlist hooks are now executed before sanitizing object classes (Bug 41899).
When deleting a computer object, the computer is now removed from the list of name servers in its DNS zone objects (Bug 37086).
Some typos have been corrected (Bug 42156).
Error messages regarding attribute locking have been improved (Bug 42386).

§6.5.5. Modules for system settings / setup wizard

Adapted the way univention-system-setup-boot gets uninstalled at the end of system setup (Bug 42808).
univention-ad-connector is now only installed on the first system joining an Active Directory (Bug 42538).
Fixed an issue that the joinscript 92univention-management-console-web-server was not properly configured when installing from the ISO (Bug 42500).
Clarified sentences at the last system setup page (Bug 40601).
Fixed base system setup errors (Bug 42553).
Fix a crash during validation in special DNS configurations (Bug 42179).
Use correct INI value for NotifyVendor information in univention-app-appliance (Bug 42068).
The console login message is now deactivated during the fast demo mode. This corrects problems when uploading the license file during an app appliance configuration (Bug 42031).
App appliances without a customized branding will show now the default UCS boot splash instead of a black screen (Bug 42165).
The interoperability of older UCS installation images or appliances with an update to the latest UCS version during the installation and setup process has been improved (Bug 42095).
Software packages are no longer automatically cached when installing univention-system-setup-boot (Bug 42122).
Some typos have been corrected (Bug 42075).
A missing package dependency has been added (Bug 41920).
During DVD installation the packages are now installed directly from the DVD, instead of being copied to the disk beforehand (Bug 42402).
Initialize updater/identify from ISO image metadata (Bug 42483).
Added French translations to the package di-univention-system-setup (Bug 42325).

§6.5.6. DHCP module

The DHCP options mapping has been fixed so that multiple values can be provided (Bug 33614).
The failover peer property description has been renamed into failover peer configuration (Bug 39876).
Some univentionObject object classes are added to automatically created objects (Bug 38073).
The DHCP netmask property has been renamed into address prefix length (Bug 27123).
DHCP Pools may now be created underneath of shared subnets (Bug 40649).
DHCP Pools may now be created via the DHCP UMC module (Bug 42177).
Positions and types of superordinate objects are now validated before creating objects (Bug 34764).
The UMC modules don't crash anymore if the Univention Configuration Registry variable directory/manager/web/sizelimit is empty (Bug 39588).

§6.5.7. Other modules

When adding objects the Container widget is not shown anymore if a superordinate is selected as these objects are created underneath of the superordinate (Bug 26133).

§6.6. Software deployment

The Updater has been adapted for UCS 4.1-4 (Bug 42655).
The tool univention-upgrade no longer fails if searching for new apps fails, e.g. because of network errors (Bug 41869).
Some typos in links addresses have been corrected (Bug 42076).
A check for a valid APT sources list has been added before updating the Packages files or performing package maintenance (Bug 42450).

§6.7. Univention base libraries

The parsing of LDAP bind credentials for UDM in umc.sh has been fixed (Bug 24758).
Variables in umc.sh are now declared local to not clobber global variables (Bug 24758).

§6.8. System services

§6.8.1. SAML

The module description of the SAML identity provider module is now translated correctly (Bug 41187).

§6.8.2. Mail services

A new Univention Configuration Registry variable mail/postfix/myorigin has been introduced, that allows to set Postfix' myorigin variable (see http://www.postfix.org/postconf.5.html#myorigin). The default value is the fully qualified domain name (FQDN) (Bug 32572).
In some situations Dovecot was not properly configured after the initial installation. This has been fixed (Bug 42032).

§6.8.3. Printing services

The PyKota database is allowed to access localhost via IPv6 too (Bug 41915).

§6.8.4. Apache

Consecutive restarts of the Apache daemon could result in a race condition, as the PID file may be not available. A short wait for the the Apache daemon PID file creation is introduced by this update (Bug 41781).

§6.8.5. PAM / Local group cache

The PAM unix configuration for password changes has been adjusted. New passwords are stored with SHA-512 instead of MD5. Changing empty passwords is not allowed anymore (Bug 42103).

§6.9. Virtualization

§6.9.1. Univention Virtual Machine Manager (UVMM)

The new Univention Configuration Registry variable libvirt/group can be used to set the group membership of the UNIX domain socket of the libvirt daemon, which allows users of that group to access the management capabilities of the libvirt daemon without becoming root (Bug 42622).

§6.10. Container Technologies

Quoting issues to support App installations with versions containing spaces have been fixed (Bug 42602).
When upgrading the underlying container, all available release updates are installed in one run (Bug 42603).
Abort installation if the App is not found instead of doing nothing (Bug 39803).
The MySQL port is no longer blocked for Docker containers (Bug 42117).
Apply docker firewall settings during start of docker (Bug 42698).

§6.11. Services for Windows

§6.11.1. Samba

Samba has been updated to version 4.5.1 (Bug 42624, Bug 42859).
samba-tool ntacl sysvolcheck has been fixed (Bug 39633).
The smb.conf parameters security mask, directory security mask, force security mode, force directory security mode are not written to Samba share definitions any longer, because Samba removed support for them (Bug 42679).
Samba 4.5.1 has disabled ntlm auth by default. In UCS, this setting can be configured via the Univention Configuration Registry variable samba/ntlm/auth and it is activated by default (Bug 42847).
Locking in the SYSVOL sync script has been improved (Bug 42475).
In case Samba 4 is installed only on a DC backup the re-join fails. The join script now checks if this system is configured as S4 connector system and re-initialized the system. In this case all other Samba 4 DCs need to be re-joined (Bug 39251).
The idmap database is now removed while re-joining the system. This reduces the re-join time (Bug 40511).
The following Univention Configuration Registry variables have been added to configure the Winbind settings: samba/winbind/nested/groups, samba/winbind/rpc/only, samba/winbind/max/clients, samba/winbind/enum/users and samba/winbind/enum/groups (Bug 41767).
It is possible that Samba 4 joins against another DC and not against the master. This could led to different problems. The join script now tries to join against the S4 Connector system first (Bug 30836).
The group DC Backup Hosts is now member of the group Enterprise Domain Controllers. This is needed for the SYSVOL replication in case Samba 4 is not installed on the DC master (Bug 41549).
The package univention-nagios-samba has been added to the list of recommended packages for univention-samba4 (Bug 29463).
The Nagios check UNIVENTION_SAMBA_REPLICATION has been added to check the state of Samba DRS replication (Bug 29463).
The slave PDC join script now updates some descriptions for the default users and groups. This avoids rejects if the Univention S4 Connector is not installed on the DC master in a distributed UCS@school environment (Bug 36831).
The slave PDC host account is now demoted from the central Samba in a distributed UCS@school environment (Bug 41168).
The school OU was not defined while joining a new Windows client. This issue has been fixed (Bug 41765).

§6.11.2. Univention S4 Connector

The S4 Connector has been adjusted to use the tombstone reanimation feature of Samba 4.5.1 (Bug 42120).
The S4 Connector didn't synchronize TXT records. This issue has been fixed (Bug 41006).
The performance of the S4 Connector when handling many objects has been improved (Bug 41999).
The S4 Connector mapping for LDAP attributes is now case insensitive (Bug 42855).

§6.11.3. Univention Active Directory Connection

The Active Directory connector didn't support synchronization of groups with more than 1500 members. This issue has been fixed (Bug 41248, Bug 41744).
The package dependency to the master and backup server role packages has been removed (Bug 41682, Bug 42489).
The sync mode can now be configured through Univention Configuration Registry variables for users, groups and containers separately (Bug 41685).
The ignored subtrees can now be configured through the Univention Configuration Registry variable connector/ad/mapping/ignoresubtree/* (Bug 41680).
Moving an object to a non-readable LDAP position resulted to a wrong move. This issue has been fixed (Bug 41938).

§6.12. Other changes

The command line parameter -skipAdMemberMode has been added to univention-join to skip the ad member mode configuration (Bug 40611).
The command line parameter -containerAdMemberMode has been added to univention-join for special handling of ad member mode in containers (Bug 40611).
univention-docker-container-mode now by default calls univention-join with the parameter -containerAdMemberMode (Bug 40611).
univention-docker-container-mode now by default skips App updates when upgrading packages (Bug 42760).
univention-docker-container-mode now by default skips the version check when joining the domain. This allows the installation of Docker Apps that have a higher UCS version than the host (Bug 42735).
The package univention-mysql has been added to the list of maintained packages (Bug 42026).
The bind address of MySQL has been changed to 0.0.0.0 to accept connections from anywhere. However, univention-firewall will reject most connections. The Docker interface will be forwarded, giving container Apps from the App Center access to MySQL (Bug 42307).
NFS home shares with names containing blanks are now also unmounted properly (Bug 32018).
Several bugs have been fixed in univention-home-mounter which could lead to the root file system being filled with temporary files (Bug 42491).
Typos have been corrected in various packages (Bug 42162, Bug 42077, Bug 42069, Bug 42070, Bug 42164, Bug 42161, Bug 42073, Bug 42071, Bug 42159, Bug 42163, Bug 42078, Bug 42160).
SSH connection multiplexing is now disabled in univention-ssh, as processes can get stuck waiting for the master connection to terminate (Bug 42476).
Handling of symbolic links has been improved in univention-skel (Bug 42493).
The function check_ldap_tls_connection now uses univention-ldapsearch to better handle LDAP server restarts while joining (Bug 42420).