With Univention Corporate Server 4.1-5, the fifth point release of Univention Corporate Server (UCS) 4.1 is now available. It provides various improvements and bugfixes. An overview of the most important changes:

Samba has been updated to include important security fixes.
The Linux kernel has been updated to the latest stable version of the 4.1 long term kernel. This includes several security updates, improvements in the stability, as well as newer and updated drivers for a better hardware support.
The App Center UMC module startup performance has been improved. This optimization is achieved by only downloading differential updates from the App Center Server using zsync.

§Chapter 2. Notes about the update

During the update some services in the domain may not be available temporarily, that is why the update should occur in a maintenance window. It is recommended to test the update in a separate test environment prior to the actual update. The test environment should be identical to the production environment. Depending on the system performance, network connection and the installed software the update will take between 20 minutes and several hours.

§2.1. Recommended update order for environments with more than one UCS server

In environments with more than one UCS system, the update order of the UCS systems must be borne in mind:

The authoritative version of the LDAP directory service is maintained on the master domain controller and replicated to all the remaining LDAP servers of the UCS domain. As changes to the LDAP schema can occur during release updates, the master domain controller must always be the first system to be updated during a release update.

§2.2. UCS installation DVD only available for 64 bit

Starting with UCS 4.0, installation DVD are only provided for the x86 64 bit architecture (amd64). Existing 32 bit UCS 3 systems can still be updated to UCS 4.0 through the online repository or by using update DVD. The 32 bit architecture will be supported over the entire UCS 4 maintenance period.

§Chapter 3. Preparation of update

It must be checked whether sufficient disk space is available. A standard installation requires a minimum of 6 GB of disk space. Depending on the scope of the existing installation, the update will require about another 2 GB of disk space for download and installation all packages.

For the update, a login should be performed on the system's local console as user root, and the update should be initiated there. Alternatively, the update can be conducted using Univention Management Console.

Remote updating via SSH is not recommended as this may result in the update procedure being canceled, e.g., if the network connection is interrupted. In consequence, this can affect the system severely. If updating should occur over a network connection nevertheless, it must be verified that the update continues in case of disconnection from the network. This can be achieved, e.g., using the tools screen and at. These tools are installed on all UCS system roles by default.

§Chapter 4. Postprocessing of the update

Following the update, new or updated join scripts need to be executed. This can be done in two ways: Either using the UMC module Domain join or by running the command univention-run-join-scripts as user root.

Subsequently the UCS system needs to be restarted.

§Chapter 5. Further notes on selected packages

§5.1. Collection of usage statistics

Anonymous usage statistics on the use of Univention Management Console are collected when using the UCS Core Edition (which is generally used for evaluating UCS). The modules opened are logged in an instance of the web traffic analysis tool Piwik. This makes it possible for Univention to tailor the development of Univention Management Console better to customer needs and carry out usability improvements.

This logging is only performed when the UCS Core Edition license is used. The license status can be verified via the menu entry License -> License information of the user menu in the upper right corner of Univention Management Console. If UCS Core Edition is listed under License type, this version is in use. When a regular UCS license is used, no usage statistics are collected.

Independent of the license used, the statistics generation can be deactivated by setting the Univention Configuration Registry variable umc/web/piwik to false.

§5.2. Scope of security support for WebKit, Konqueror and QtWebKit

WebKit, Konqueror and QtWebKit are shipped in the maintained branch of the UCS repository, but not covered by security support. WebKit is primarily used for displaying HTML help pages etc. Firefox should be used as web browser.

§5.3. Recommended browsers for the access to Univention Management Console

Univention Management Console uses numerous JavaScript and CSS functions to display the web interface. Cookies need to be permitted in the browser. The following browsers are recommended:

Chrome as of version 37
Firefox as of version 38
Internet Explorer as of version 11
Safari and Safari Mobile as of version 9

Users with older browsers may experience display or performance issues.

§Chapter 6. Changelog

Listed are the changes since UCS 4.1-4:

§6.1. General

All security updates issued for UCS 4.1-4 are included:

§6.2. Basic system services

§6.2.1. Univention Configuration Registry

The functionality to manage services has been changed to ignore processes running in a Docker container (Bug 40659).

§6.3. Domain services

§6.3.1. OpenLDAP

OpenLDAP has been re-built to make it Multi-Arch-aware (Bug 41558).

§6.4. Univention Management Console

§6.4.1. Univention Management Console web interface

Some help dialogs in the UMC where not displayed correctly. This has been fixed (Bug 43084).
The maximum request size can now be configured via the Univention Configuration Registry variable umc/http/max_request_body_size (Bug 42357).
The login dialog after a session timeout is now centered on the view-port and not at the top of the page. Making the login immediately possible without the need to scroll to the top (Bug 40492).
The UMC overview page shows a banner that links to the Univention Summit website (Bug 42979).
Erroneous pop-ups when clicking a non UMC module link on the overview page are no longer generated (Bug 42980).

§6.4.2. Univention App Center

The App Center now uses a different directory for special temporary files for Docker Apps to avoid problems with the sysvinit's tmp cleanup (Bug 44387).
Notifications about App updates of Docker Apps were not sent. This has been corrected (Bug 44148).
When an App sets it HTTP port to 0, disable the HTTP link for the App Center link and for the ucs-overview link (Bug 43657).
A bug in detecting apps on domain hosts has been fixed (Bug 41801).
Docker Apps now support UDP ports to be opened (Bug 43108).
In case the App Center runs in container mode, join scripts etc. are not copied to the system (Bug 42934).
The backend now correctly determines whether an App is a UCS component (Bug 43363).
Container passwords aren't changed anymore during container upgrades (Bug 45290).
A script can now be run after configuring an App (Bug 43838).
AdditionalPackages defined by the App are no longer removed when uninstalling an app (Bug 44772).
The documentation has been extended (Bug 42761).
Added the command univention-app dev-set to support development tools (Bug 43040).
For developers, reverting a local App Center does remove the App Center directories completely (Bug 43074).
When upgrading from a Non-Docker version to a Docker version, the old version was removed even the installation process of the new version was not successful (Bug 42969).
The ini attribute License is now passed to the frontend (Bug 42798).
Hiding dockerized versions of installed Apps did not work when upgrading from UCS 4.0 (Bug 43075).
Adjust code so that other projects may extend the App Center lib (Bug 42834).
Start App container with the hosts proxy settings by default (Bug 44785).
If the download of App meta data via zsync fails, the archive is downloaded via an HTTPS request (Bug 45291).
Fixed the utility function for creating LDAP objects not honoring existing objects (Bug 42928).
When trying to upgrade to a Docker version of a formerly Non-Docker App, a link to a migration guide is shown if available (Bug 43038).
Admin credentials are now passed to a preinst script during App installation / upgrade (Bug 44655).
App Logos are linked to the UMC front-end immediately after the initial System setup (Bug 45748).

§6.4.3. Univention Directory Manager UMC modules and command line interface

The Python API for UDM modules finds the superordinate object automatically if it is not given (Bug 43423).
An error was fixed that prevented syntax classes which were set via Univention Configuration Registry to be used with a ComboBox widget (Bug 43094).
If a user template defined a default value for mailHomeServer, the value has not been set. This has been fixed (Bug 42903).
UDM objects with the object flags synced and docker can now be deleted (Bug 44954).
Add missing dependency python-univention-license to fix error when using the univention.admin.license Python module (Bug 43298).
Removing objects which don't have sub-elements is now possible even if the LDAP admin size limit is reached (Bug 43236).
Objects underneath containers of superordinate entries like DHCP services are shown again in the tree view (Bug 43048).
Fixed a regression in UCS 4.1-3 Erratum 319 which caused failures in the Asterisk4UCS App module (Bug 43423).

§6.4.4. Modules for system settings / setup wizard

DNS settings are updated correctly when using app appliances (Bug 42944).
The screen-saver is now deactivated while configuring the system (Bug 42944).
Install univention-welcome-screen earlier in the setup process (Bug 42915).

§6.4.5. Univention Directory Reports

The Univention Directory Reports created via the UMC are now access protected (Bug 45680).

§6.4.6. License module

A fallback to the machine account has been added to univention_license_ldap_init() (Bug 35157).

§6.4.7. Software update module

The updater message for UCS releases that receive extended maintenance was clarified (Bug 45671).

§6.4.8. Policies

LDAP connections are now always TLS encrypted (Bug 43031).

§6.5. Software deployment

The Updater has been adapted for UCS 4.1-5 (Bug 45648).
The user-agent string has been extended with statistics (Bug 43107).

§6.6. System services

§6.6.1. Mail services

The package dependencies allow now to install Dovecot Pro instead of Dovecot from the Debian repositories (Bug 44567).
LDAP queries are now escaped correctly, when checking access for a restricted mailing list (Bug 41055).

§6.6.2. SSL

The local system SSL certificates are correctly regenerated during system join (Bug 44322).
The command sign has been added to univention-certificate to allow creating certificates for external Certificate Signing Requests (Bug 22085).
The local system SSL certificates are correctly regenerated when refreshing certificates (Bug 44322).

§6.6.3. Proxy services

The Squid proxy server now uses STARTTLS to encrypt all LDAP connections (Bug #43675) (Bug 43675).
Univention Configuration Registry variables squid/cache/format, squid/cache/directory, squid/cache/size, squid/cache/l1_size, squid/cache/l2_size to configure the cache settings have been added (Bug 37381).

§6.6.4. Apache

Exceptions for the apache2/force_https configuration can now be configured via Univention Configuration Registry. When apache2/force_https is enabled, by default localhost will be excluded (Bug 43603).

§6.7. Virtualization

§6.7.1. Univention Virtual Machine Manager (UVMM)

In some cases during live migration the KVM clock is not monotone, which leads to the virtual machine being stuck until the clock has caught up again. This has been fixed (Bug 45117).

§6.8. Container Technologies

Allow release update in container mode even if the UCS master's version is lower (Bug 42923).
Install package updates when updating the app in container mode (Bug 43177).
Restoring Univention Configuration Registry in container mode after an image exchange has been fixed (Bug 43324).

§6.9. Services for Windows

§6.9.1. Samba

The Univention Configuration Registry variables samba/client/min/protocol, samba/min/protocol and samba/client/max/protocol have been added. Please be aware that raising samba/min/protocol e.g. to SMB2 also requires raising samba/client/max/protocol to that value or higher (Bug 44646).
Samba 4.5 creates an DNS object _msdcs below the position CN=MicrosoftDNS,CN=System. If CN=System is still used by BIND9, the DRS replication will be stopped. This can only happen if Samba 4 was installed before UCS 4.0-4 and a Samba 4 system is installed or rejoined. This update removes the created DNS object and prevented its recreation (Bug 43288).

§6.9.2. Univention S4 Connector

A race condition between writing and reading cached data has been fixed (Bug 43235).
The mapping for LDAP attributes of DNS objects is now case insensitive (Bug 43259).
The synchronization of DNS zones now also works in special setups, where samba4/ldap/base differs from ldap/base (Bug 42393).
When adjusting a GPO security filter via Group Policy Management Console repeatedly in a short time, the S4-Connector could revert changes, depending on timing. Now the S4-Connector checks if a change has happened in Samba/AD since the last sync and avoids overwriting the attribute nTSecurityDescriptor in that case (Bug 41571).
The init-script has been fixed to check for an already running instance of the S4 connector. The PID file is removed on shutdown. The status action has been added, too (Bug 40659).
An issue with renaming windows clients has been fixed (Bug 43321).
Rejects for DNs containing non-ASCII characters could not be saved, because python-sqlite3 doesn't accept UTF-8, causing rejects not to be visible but keeping the S4-Connector retrying endlessly, flooding the logs with rejects (Bug 44291).
Fix handling of Printer-Admins and searching for conflicting deleted objects by objectsid (Bug 44289).
Added new Univention Configuration Registry variables connector/s4/mapping/{gpo,wmifilter,msprintconnectionpolicy}/syncmode (Bug 43629).
UCS@school specific settings have been moved into the join script (Bug 45329).
Sync client initiated renaming of Windows machine accounts from Samba/AD to OpenLDAP (Bug 37388).
DNs of Windows clients joined from the client itself where not in sync with the corresponding OpenLDAP DNs (Bug 40435).

§6.9.3. Univention Active Directory Connection

The AD-Connector can now handle sync_mode configuration on a per attribute granularity (Bug 42618).
The LDAP modification list can now be logged in case of a trace-back if the changes are synchronized from UCS to Active Directory (Bug 29988).
The samAccountName synchronization for Windows clients has been set to write only because a changed samAccountName attribute in Active Directory is handled via the CN synchronization (Bug 43229).
The lookup for the LDAP base DN of the Active Directory server has been fixed (Bug 40816).
The mapping for the MS-Exchange related attribute proxyAddresses has been revised to synchronize the OpenLDAP attribute mailPrimaryAddress with the default value configured in proxyAddresses (Bug 43216). In detail:
1. When reading from Active Directory, the value with SMTP: prefix is now written to the OpenLDAP attribute mailPrimaryAddress. Before this update mailPrimaryAddress used to be synchronized with the value of the Active Directory mail attribute instead. The Active Directory mail attribute has informative character.
2. In the other direction, i.e. writing from OpenLDAP to Active Directory, the value of mailPrimaryAddress continues to be written to the mail attribute and now additionally gets written into the proxyAddresses as default value, i.e. prefixed with SMTP:.
3. smtp: prefixed values in proxyAddresses continue to be synchronized with OpenLDAP mailAlternativeAddress
A race condition between writing and reading cached data has been fixed (Bug 42507).

§6.10. Other changes

Add missing INIT INFO headers in various packages to help the update to UCS 4.2 (Bug 45109, ).
New leap second 2016-12-31 23:59:60 UTC as per IERS Bulletin C 52 in tzdata (Bug 42877).
The root SSL certificate used for the UCS domain is now registered as a trusted root certificate for all applications using /etc/ssl/certs/ (Bug 39179).
Joining a UCS system into a domain now works for hostnames, where the corresponding host LDAP entry was created using a different casing (Bug 39068).
Redirect warning messages to join.log in univention-join (Bug 43381).
The syslog configuration has been extended to allow logging to remote hosts. Several protocols are supported:
UDP
fast, but messages can get lost or get dropped in congested networks.
TCP
more reliable, but can block the sending syslog daemon.
RELP
reliable, but non standard; can also block the syslog daemon.
Sending must be enabled explicitly. For this the new Univention Configuration Registry variables syslog/remote, syslog/remote/fallback and syslog/remote/selector have been added. Receiving must also be enabled explicitly. For this the new Univention Configuration Registry variables syslog/input/udp, syslog/input/tdp and syslog/input/relp have been added. Please note, that log messages are sent unencrypted and in clear text! It is recommended to use this only in protected networks, as passwords and other sensitive data might leak otherwise (Bug 15728).
The configuration for logrotate has been extended to allow a file-by-file configuration through the Univention Configuration Registry variables logrotate/$facility/.... All remaining files are handled by logroate/syslog-other/... (Bug 41816).
Several new Univention Configuration Registry variables syslog/... have been added to enable/disable logging of events of certain facilities to the corresponding targets:
syslog/auth
/var/log/auth.log
syslog/cron
/var/log/cron.log
syslog/kern
/var/log/kern.log
syslog/daemon
/var/log/daemon.log
syslog/user
/var/log/user.log
syslog/lpr
/var/log/lpr.log
syslog/mail
/var/log/mail.*
syslog/news
/var/log/news.*
syslog/syslog
/var/log/syslog (catch-all for all messages)
syslog/debug
/var/log/debug (only debug messages)
syslog/messages
/var/log/messages (all except debug and errors)
syslog/xconsole
/dev/xconsole (used by graphical console)
The new Univention Configuration Registry variable syslog/syslog/avoid_duplicate_messages can be used to remove messages logged to other targets from /var/log/syslog. By default messages get logged multiple times. Further more the selector for certain files can now be customized through the following new Univention Configuration Registry variables: (Bug 41815).
syslog/syslog/selector
[*.*]
syslog/debug/selector
[*.=debug;auth,authpriv,news,mail.none]
syslog/messages/selector
[*.=info-warn;auth;authpriv;cron;daemon;mail;news.none]
syslog/xconsole/selector
[daemon,mail.*;news.err;*.debug-warn]