UCS 4.2 Release Notes

Release notes for the installation and update of Univention Corporate Server (UCS) 4.2


Table of Contents

1. Release Highlights
2. Notes about the update
2.1. Recommended update order for environments with more than one UCS server
2.2. UCS installation DVD only available for 64 bit
3. Preparation of update
4. Postprocessing of the update
5. Further notes on selected packages
5.1. QEMU issues
5.2. Collection of usage statistics
5.3. Scope of security support for WebKit, Konqueror and QtWebKit
5.4. Recommended browsers for the access to Univention Management Console
6. Changelog
6.1. General
6.2. Univention Installer
6.3. Basic system services
6.3.1. Linux kernel and firmware packages
6.3.2. Univention Configuration Registry
6.3.2.1. Changes to templates and modules
6.3.3. Other system services
6.4. Domain services
6.4.1. OpenLDAP
6.4.1.1. LDAP ACL changes
6.4.1.2. Listener/Notifier domain replication
6.4.1.3. DNS server
6.4.1.4. DHCP server
6.5. Univention Management Console
6.5.1. Univention Management Console web interface
6.5.2. Univention Management Console server
6.5.3. Univention App Center
6.5.4. Univention Directory Manager UMC modules and command line interface
6.5.5. Modules for system settings / setup wizard
6.5.6. Software update module
6.5.7. Domain join module
6.5.8. Users module
6.5.9. DNS module
6.5.10. DHCP module
6.5.11. Policies
6.5.12. Filesystem quota module
6.6. Software deployment
6.7. Univention base libraries
6.8. System services
6.8.1. SAML
6.8.2. Univention self service
6.8.3. Kerberos
6.8.4. SSL
6.8.5. Proxy services
6.8.6. Apache
6.8.7. PAM / Local group cache
6.8.8. Other services
6.9. Virtualization
6.9.1. Univention Virtual Machine Manager (UVMM)
6.10. Container Technologies
6.11. Services for Windows
6.11.1. Samba
6.11.2. Univention S4 Connector
6.12. Other changes

§Chapter 1. Release Highlights

With Univention Corporate Server 4.2, the second minor release of Univention Corporate Server (UCS) is now available. It provides several substantial feature improvements and extensions, new properties as well as various improvements and bugfixes. An overview of the most important changes:

  • UCS 4.2 is based on Debian GNU/Linux 8 (Jessie). More than 16,000 source packages have been updated and adapted to the needs of UCS administrators. Selected core components, e.g. Linux Kernel (4.9), Docker (1.12) or QEMU (2.8) are more recent in UCS compared to Debian GNU/Linux 8.

  • From UCS 4.2, the management system offers a central portal for quick access to all applications in the environment, as well as the management of the various UCS instances. This allows users to access their applications more easily. The portal is configurable and can be adapted to individual needs.

  • The design and user experience have been improved further with UCS 4.2. For example, the password self service provides a simplified usage. The management system now uses SAML (Web Single Sign-On) by default, provided that the prerequisites, such as working name resolution, are given.

  • Samba has been updated to version 4.6.1. This includes various improvements in the areas of DRS replication, Active Directory compatibility, file services and printer handling, among other things. In addition, the performance has been improved in environments with many users.

§Chapter 2. Notes about the update

During the update some services in the domain may not be available temporarily, that is why the update should occur in a maintenance window. It is recommended to test the update in a separate test environment prior to the actual update. The test environment should be identical to the production environment. Depending on the system performance, network connection and the installed software the update will take between 20 minutes and several hours.

§2.1. Recommended update order for environments with more than one UCS server

In environments with more than one UCS system, the update order of the UCS systems must be borne in mind:

The authoritative version of the LDAP directory service is maintained on the master domain controller and replicated to all the remaining LDAP servers of the UCS domain. As changes to the LDAP schema can occur during release updates, the master domain controller must always be the first system to be updated during a release update.

§2.2. UCS installation DVD only available for 64 bit

Starting with UCS 4.0, installation DVD are only provided for the x86 64 bit architecture (amd64). Existing 32 bit UCS 3 systems can still be updated to UCS 4.0 through the online repository or by using update DVD. The 32 bit architecture will be supported over the entire UCS 4 maintenance period.

§Chapter 3. Preparation of update

It must be checked whether sufficient disk space is available. A standard installation requires a minimum of 6 GB of disk space. Depending on the scope of the existing installation, the update will require about another 2 GB of disk space for download and installation all packages.

For the update, a login should be performed on the system's local console as user root, and the update should be initiated there. Alternatively, the update can be conducted using Univention Management Console.

Remote updating via SSH is not recommended as this may result in the update procedure being canceled, e.g., if the network connection is interrupted. In consequence, this can affect the system severely. If updating should occur over a network connection nevertheless, it must be verified that the update continues in case of disconnection from the network. This can be achieved, e.g., using the tools screen and at. These tools are installed on all UCS system roles by default.

§Chapter 4. Postprocessing of the update

Following the update, new or updated join scripts need to be executed. This can be done in two ways: Either using the UMC module Domain join or by running the command univention-run-join-scripts as user root.

The packages univention-log-collector-server and univention-log-collector-client are no longer maintained. If these packages are installed, they should be removed.

With Univention Corporate Server 4.2 the OpenLDAP server by default denies the LDAP bind if passwords or the accounts are expired. This feature is not activated for systems updated to Univention Corporate Server 4.2. but can be activated by setting the Univention Configuration Registry variable ldap/shadowbind to true.

During the update the Univention Configuration Registry settings nameserver* and dns/forwarder* are checked and adjusted automatically to ensure that the nameserver* variables only contain DNS servers that know about the UCS domain. This is done by running /usr/share/univention-server/univention-fix-ucr-dns once. We recommend to check the values of these Univention Configuration Registry variables.

Subsequently the UCS system needs to be restarted.

§Chapter 5. Further notes on selected packages

§5.1. QEMU issues

For UCS-4.2 the package qemu has been updated from version 1.1 to version 2.8. Currently this leads to problems with

  • live migrating virtual machines from old to new versions of QEMU.
  • restoring of snapshots of running virtual machines, which have been created with an older version of QEMU.
  • restoring the state of old running virtual machines, which haven been put into the state of suspended to disk with an older version of QEMU.

Univention is working on a solution and delegates to article SDB 1384 for known temporary workarounds until then.

§5.2. Collection of usage statistics

Anonymous usage statistics on the use of Univention Management Console are collected when using the UCS Core Edition (which is generally used for evaluating UCS). The modules opened are logged in an instance of the web traffic analysis tool Piwik. This makes it possible for Univention to tailor the development of Univention Management Console better to customer needs and carry out usability improvements.

This logging is only performed when the UCS Core Edition license is used. The license status can be verified via the menu entry License -> License information of the user menu in the upper right corner of Univention Management Console. If UCS Core Edition is listed under License type, this version is in use. When a regular UCS license is used, no usage statistics are collected.

Independent of the license used, the statistics generation can be deactivated by setting the Univention Configuration Registry variable umc/web/piwik to false.

§5.3. Scope of security support for WebKit, Konqueror and QtWebKit

WebKit, Konqueror and QtWebKit are shipped in the maintained branch of the UCS repository, but not covered by security support. WebKit is primarily used for displaying HTML help pages etc. Firefox should be used as web browser.

§5.4. Recommended browsers for the access to Univention Management Console

Univention Management Console uses numerous JavaScript and CSS functions to display the web interface. Cookies need to be permitted in the browser. The following browsers are recommended:

  • Chrome as of version 37

  • Firefox as of version 38

  • Internet Explorer as of version 11

  • Safari and Safari Mobile as of version 9

Users with older browsers may experience display or performance issues.

§Chapter 6. Changelog

Listed are the changes since UCS 4.1-4 errata408:

§6.1. General

  • The Debian basis has been updated from Debian 7 (Wheezy) to Debian 8 (Jessie) (Bug 43560, Bug 41930, Bug 41929, Bug 44146). This means, among other things, the following upgrades:

    • Apache has been updated to 2.4.10.
    • The BIND DNS server has been updated to 9.9.5.
    • OpenSSH has been updated to 6.7.
    • Perl has been updated to 5.20.2.
    • PHP has been updated to 5.6.30.
    • Postfix has been updated to 2.11.3.
    • UCS ships with systemd-sysv as default init system. This package is installed automatically on upgrades. All UCS init shell scripts have been made LSB compliant to be compatible with systemd. If custom init scripts are used or standard UCS init scrips haven been modified, please be aware that these may now have been superseded by systemd unit files or systemd itself (Bug 43330).
  • The codename for UCS 4.2 has been set to Lesum (Bug 42054).

§6.2. Univention Installer

  • The installer now supports POSIX shared memory objects for non-privileged processes during the installation in the chroot (Bug 43915).

§6.3. Basic system services

§6.3.1. Linux kernel and firmware packages

  • The Linux kernel has been updated to 4.9.13 (Bug 42048, Bug 42047).
  • The kernel modules openafs-modules-dkms, blktap-dkms, virtualbox-dkms, virtualbox-guest-dkms, open-vm-tools-dkms, backfire-dkms and oss4-dkms have been updated to be compatible with the new Linux kernel 4.9. The modules iscsitarget-dkms and xtables-addons-dkms are no longer supported Bug 42049.

§6.3.2. Univention Configuration Registry

  • The maximum transfer unit (MTU) for network interfaces can now be configured through the new Univention Configuration Registry variable interfaces/interface/mtu (Bug 35814).
  • The functions remove_ucr_template and remove_ucr_info_file from the shell library ucr.sh have been deprecated. The library itself was moved into the package univention-config (Bug 27872).
  • ucr update is now automatically called when Univention Configuration Registry template files are added/modified/removed (Bug 23737).
  • Univention Configuration Registry now loads its data atomically to fix a problem when multiple threads access the database concurrently (Bug 37402).
  • The robustness of the services module has been improved to better handle process changes (Bug 34234).
  • An internal fallback implementation for pipes.quote() was added to fix an upgrade issue while python is not configured (Bug 43341).
  • The Python implementation has been changed to follow the Python contract for dictionaries, except one exception: The method get() still returns None instead of raising the exception KeyError when the key is not found, as this is still required to be compatible with previous releases (Bug 33101).

§6.3.2.1. Changes to templates and modules

  • The */autostart Univention Configuration Registry variables are now handled by a generic Univention Configuration Registry module. The variables are still used in the individual init-scripts for backward compatibility with the classic System V init system, but are shadowed by the corresponding systemd mechanisms to enable/disable and mask/unmask services (Bug 43470).

§6.3.3. Other system services

  • Several network start scripts have been adapted to work with systemd (Bug 42380).

§6.4. Domain services

§6.4.1. OpenLDAP

  • The overlay module shadowbind has been added. This module checks shadowExpire and shadowMax/shadowLastChange of the bind DN object and denies the login if the account or the password is expired. The overlay can be enabled/disabled with the Univention Configuration Registry variable ldap/shadowbind. An ignore LDAP filter (shadowbind does not check account/password expiry if the bind DN object matches this filter) can be configured with the Univention Configuration Registry variable ldap/shadowbind/ignorefilter (Bug 36215).
  • If the slapd is already running when trying to start, the init-script does not signal failure anymore. A 5 second delay when starting slapd was removed (Bug 43450).

§6.4.1.1. LDAP ACL changes

  • The slapd configuration option add_content_acl has been turned on (Bug 41797).
  • The overlay module constraint has been enabled. Security restrictions for the attributes uidNumber and gidNumber have been added. The value "0" is no longer valid for these attributes (Bug 43312).

§6.4.1.2. Listener/Notifier domain replication

  • The Listener daemon is now compiled with hardening options and return code checks have been improved (Bug 26039).
  • Kerberos support was removed from the Listener (Bug 42678).
  • The Listener cache backend has been converted to LMDB (Bug 23367).

§6.4.1.3. DNS server

  • The timeout and retry handling of the BIND9 LDAP database plugin has been improved (Bug 42389).
  • During the update of DNS servers having univention-bind installed the Univention Configuration Registry settings nameserver123 and dns/forwarder123 are checked and fixed automatically. This is done by running /usr/share/univention-server/univention-fix-ucr-dns once (Bug 43217, Bug 44208).
  • The legacy System V init scripts univention-bind and univention-bind-proxy have been removed. The services are now handled through the System V init script bind9 and the systemd service unit file bind9.service (Bug 43690).

§6.4.1.4. DHCP server

  • Quoting of the server name has been added (Bug 42240).

§6.5. Univention Management Console

§6.5.1. Univention Management Console web interface

  • The general design of the web interface has been improved. Several aspects of the design are borrowed from the Google Material Design guidelines. All Univention web interfaces reside now below /univention, e.g., Univention Management Console has moved from /univention-management-console to /univention (Bug 42261, Bug 42228, Bug 42264, Bug 43451, Bug 42266, Bug 43528, Bug 44007, Bug 44059, Bug 43531).
  • A central portal site has been added to UCS. It allows to have a central site which shows all installed Apps in a UCS domain. Furthermore, the portal page can be configured and customized (Bug 42233, Bug 42175, Bug 42231, Bug 43495, Bug 43670, Bug 43887, Bug 43932, Bug 43933, Bug 42235, Bug 43928, Bug 44018, Bug 44048, Bug 44070).
  • A server overview site has been added to UCS. It allows to search for and navigate to particular server instances in the UCS domain (Bug 43595, Bug 43680).
  • JavaScript and CSS code has been moved from Univention Management Console into a generic and separate web library that can be used by other web applications, as well (Bug 38824).
  • Global menu entries can now be defined via JavaScript hook modules. A JavaScript hook module needs to be placed as module in the JavaScript directory umc/hook and it needs to be defined via the Univention Configuration Registry variable umc/web/hooks/<packageName>=<javaScriptModule> (Bug 42263).
  • Improved internationalization for JavaScript files in UMC (Bug 42293).
  • The correct service name is shown when the start behavior is configured through the Univention Configuration Registry variable umc/http/autostart (Bug 42340).
  • Various security improvements have been done to guard against Cross Site Request Forgery (XSRF), Cross Site Scripting (XSS) and Clickjacking attacks. The HTTP response header X-Frame-Options, Content-Security-Policy, X-Content-Type-Options, X-XSS-Protection and X-Permitted-Cross-Domain-Policies are now set by default (Bug 39733, Bug 39731).
  • A menu entry for changing the language has been added (Bug 40612).
  • A menu entry for downloading the root certificate and certificate revocation list has been added (Bug 43695).
  • In certain situations it was possible that the translations were mixed. This has been fixed (Bug 38370).
  • Traceback reports do not require an authenticated session anymore and can be sent anonymously (Bug 42169).
  • Plural forms for translations are now supported in the JavaScript code (Bug 42220).
  • The JavaScript libraries dojo (1.12.1), xstyle (3.2.0) and dgrid (1.1.0) have been updated (Bug 42291).
  • Data grids now have a dynamic height depending on the number of items in it, instead of a fixed height. (Bug 32027, Bug 43630).
  • The design of the login dialog has been restructured and moved into a single login page. By default the login to Univention Management Console now uses the SAML Single Sign On login mechanism. The session timeout has been increased to 8 hours of inactivity (Bug 42174, Bug 43918).
  • The French translation has been updated w.r.t. the new structure of the web packages (Bug 43462).

§6.5.2. Univention Management Console server

  • The correct service name is shown when the start behavior is configured through the Univention Configuration Registry variable umc/server/autostart (Bug 42339).
  • A crash in the UMC server has been fixed which could occur during connecting to module processes under heavy load (Bug 43713).
  • UMC modules are able to serve requests for unauthenticated client now (Bug 42114).

§6.5.3. Univention App Center

  • Docker Apps now send notifications after an App update. This fix was cherry picked from an an upcoming 4.1-4 update (Bug 44148).
  • More characters in the version of an App are allowed (Bug 41905).
  • The version comparison for supported UCS Version has been fixed so that it does not fail on testing minor versions that are lower than the current version (Bug 43901).
  • Adjustments have been made to work with the new Docker version or other software components (Bug 43338, Bug 43607, Bug 43458).
  • The status message in the App details Page has been improved and shows the installed and candidate version (Bug 43905).
  • The App Center can now install certain Docker Apps from other UCS versions (Bug 43496, Bug 43662, Bug 43709).
  • Code cleanup where deprecated functions of Univention Directory Manager were used (Bug 43624).
  • Before UCS 4.2, the Docker init scripts are created as link. Since the new init scripts needs unique identifiers, the init scripts are now copied from a default init script. All existing init scripts are migrated during the upgrade to UCS 4.2 (Bug 43674, Bug 44071).
  • To support systemd based containers, univention-appcenter-docker now asks docker to mount /run and /run/lock as tmpfs in newly created containers and pre-mounts /sys/fs/cgroup. Additionally it uses an adjusted seccomp profile, which allows the system call name_to_handle_at, which avoids granting SYS_ADMIN capabilities to containers (Bug 43455).
  • The command univention-app shell no longer implicitly sets the docker exec options -it. Instead, univention-app shell provides these options as parameters for interactive usage (Bug 44062).

§6.5.4. Univention Directory Manager UMC modules and command line interface

  • The existence of objects is now checked before initializing it (Bug 38110).
  • The syntax class ObjectFlag now accepts the value docker (which is used to mark computer objects that are created specifically for Docker App Containers); the corresponding attribute is now multivalued, making it possible to store more than one flag on an object (Bug 43148).
  • The UDM specific JavaScript widget LinkList has been moved to univention-management-console-module-udm from univention-management-console-frontend (Bug 42321).

§6.5.5. Modules for system settings / setup wizard

  • The setup wizard has been refactored to be a standalone web application (Bug 42172).
  • The package dbus-x11 is installed by default to silence firefox (Bug 36168).
  • The file /etc/localtime no longer is a symbolic link, but contains a copy of the time zone data (Bug 24090).

§6.5.6. Software update module

  • Illegal characters don't cause a crash when viewing the logfile anymore (Bug 41539).
  • During an update, the view is scrolling automatically with the last line of the log file (Bug 43508).

§6.5.7. Domain join module

  • The "execute pending join scripts" button is now grayed out if no unconfigured join scripts exists (Bug 35326).
  • Illegal characters don't cause a crash when viewing the logfile anymore (Bug 41539).

§6.5.8. Users module

  • An alternative tile view has been added to the user list which displays the users' profile pictures (Bug 42229, Bug 43868).
  • Templates used when creating new users now work for all properties regardless (Bug 43428).
  • The layout of user templates has been synchronized with the layout of the users modules (Bug 42765).
  • Some broken mappings of user templates have been fixed (Bug 29672).

§6.5.9. DNS module

  • The help and example for the DNS reverse zone subnet property has been improved (Bug 34131).
  • The description for the negative time-to-live property has been corrected (Bug 33165).
  • Long descriptions have been added to all DNS module properties (Bug 42820).
  • DNS names are now checked for validity according to RFC 2181. PTR entries are now shown in forward notation as IP addresses and can be searched for (Bug 25354).

§6.5.10. DHCP module

  • The DHCP modules now validate the input fields better and require a valid IP address or host name to be entered (Bug 33211).
  • Long descriptions have been added to all DHCP module properties (Bug 42820).
  • Listing policies for DHCP host entries now works with multiple DHCP services and for entries with none or multiple IP addresses (Bug 42849).
  • Support for dynamic address assignment using pools for known hosts has been improved Bug 16923.
  • A memory leak has been fixed. A crash during startup if the LDAP server was unreachable has been fixed (Bug 31078).
  • DHCP options and DHCP statements can now be configured via Univention Management Console (Bug 32557).
  • The univention-dhcp package update script has been adjusted to tolerate temporary systemd related service restart failure (Bug 43651).

§6.5.11. Policies

  • The long descriptions of the DHCP server statements policy have been corrected (Bug 34441).

§6.5.12. Filesystem quota module

  • Clicking on an activated partition opens the quota settings for that partition (Bug 43507).

§6.6. Software deployment

  • The updater scripts preup.sh and postup.sh have been adapted to the needs of UCS 4.2 (Bug 42037).
  • The pre-check of the UCS 4.2 upgrade now checks if essential server role packages should be removed during the upgrade. In this case the upgrade process is stopped previously (Bug 39092).
  • The pre-check of the UCS 4.2 upgrade now ensures that all computer objects have valid LDAP object classes (Bug 41868).
  • To avoid errors in the UMC when choosing English as language, the pre-check of the UCS 4.2 upgrade now ensures that en_US is specified as available locale (Bug 44150).
  • The program univention-updater checks now also the locking status if the option --check is used (Bug 43625).

§6.7. Univention base libraries

  • The basic Univention LDAP Python library uldap.py allows now the deletion of the following LDAP attributes: univentionPortalBackground, univentionPortalLogo, univentionPortalEntryIcon and univentionUMCIcon (Bug 44019, Bug 44040).

§6.8. System services

§6.8.1. SAML

  • The package python-pysaml2 3.0.0-5 has been ported back from Debian Stretch (Bug 43547).
  • The package simplesamlphp 1.14.11-1 has been ported back from Debian Stretch (Bug 43783).
  • The Apache configuration has been adjusted (Bug 43708).

§6.8.2. Univention self service

  • The usability of the password self service module has been improved. In addition, the module has been updated to the UCS 4.2 web structure (Bug 42267, Bug 44111).
  • The self service links for the password reset and password change have been consolidated into one portal entry. If a password reset entry should be added to the portal, it can be created through the LDAP browse module (Bug 44102).
  • The self service now communicates directly with the UMC server instead of being proxied through a WSGI process (Bug 42132).

§6.8.3. Kerberos

  • The missing package conflicts between univention-heimdal-kdc and univention-heimdal-member were added (Bug 34258).
  • The Listener scripts for creating Kerberos keys were fixed to no drop root permissions (Bug 43409).
  • The Listener scripts for creating Kerberos keys were updated to use the new location of ktutil and kadmin (Bug 43492).
  • The list of supported encryption types in /etc/krb5.conf has been adjusted to make e.g. nsupdate work with the new Samba version (Bug 43850).

§6.8.4. SSL

  • During univention-system-setup, the certificate for the initially configured undefined-hostname.unassigned-domain is not recreated (Bug 43626, Bug 43983).
  • The root SSL certificate used for the UCS domain is now registered as a trusted root certificate for all applications using /etc/ssl/certs/ (Bug 39179, Bug 43811).

§6.8.5. Proxy services

  • The Squid proxy server was upgraded to version 3.4.8 and its configuration adapted (Bug 43580, Bug 43717, Bug 44210).
  • The Squid proxy server now uses STARTTLS to encrypt all LDAP connections (Bug 43676).
  • For squidguard a fix for the script update-squidguard was ported back from the 1.5-5 release (Bug 43581).

§6.8.6. Apache

  • Apache configuration files in the packages univention-apache, univention-novnc, univention-nagios and univention-system-activation have been adapted to Apache version 2.4 (Bug 42196, Bug 42296).
  • The SSL proxy peer checks for CN and for hostname have been disabled since newer Apache versions check this by default and the Docker container web interfaces are available via localhost (Bug 43813).
  • A robots.txt file has been added to the default server configuration which prevents search engines and similar web services from indexing the content delivered by Apache. During the upgrade to UCS 4.2 any existing robots.txt in /var/www/ will be backed up to robots.txt.orig (Bug 32521).

§6.8.7. PAM / Local group cache

  • The PAM configuration now uses the user_envfile option for reading files from the user home directory (Bug 43287).

§6.8.8. Other services

  • univention-tftp has been updated due to a newer syslinux version, this fixes the path to the pxelinux.0 binary.
  • univention-postgresql has been updated to support the newer postgresql-9.4 by adding a new univention-postgresql-9.4 and changing univention-postgresql to install that on new installations (Bug 43682).
  • univention-appcenter has been updated to support the newer univention-postgresql-9.4 (Bug 43682).
  • univention-printquota has been updated to support the newer univention-postgresql-9.4 (Bug 43682).
  • univention-pkgdb has been updated to support the newer univention-postgresql-9.4 (Bug 43682).
  • univention-bacula has been updated to support the newer univention-postgresql-9.4 (Bug 43682).

§6.9. Virtualization

§6.9.1. Univention Virtual Machine Manager (UVMM)

  • Profiles for UCS 4.2 and Windows Server 2016 have been added (Bug 44067).
  • Error handling has been improved (Bug 38634).
  • The start script for libvirtd has been updates to be compatible with systemd (Bug 43493).
  • libvirtd is no longer started through runit but through systemd (Bug 43875).
  • qemu, libvirt, VirtIO and related packages have been updates to newer versions. Live-migration and snapshots from previous versions might not work in all cases due to large changes in the code base. In such cases it is recommended to cleanly shutdown the virtual machines before the upgrade and to cold-boot the virtual machines after the upgrade (Bug 38877).
  • univention-novnc was adapted, the start of the service is moved to a later point in the installation. (Bug 44067).

§6.10. Container Technologies

  • Docker has been updated to 1.12 (Bug 42282, Bug 43449, Bug 44006).
  • The Univention Configuration Registry variable docker/daemon/default/parameter/.* has been added to configure additional parameter for the Docker daemon (Bug 44033).
  • The parameter live-restore is now used by default (Bug 44033).
  • The Docker daemon is now started through systemd (Bug 44033).

§6.11. Services for Windows

§6.11.1. Samba

  • The Univention Directory Listener is restarted after the Univention Configuration Registry variable samba4/role gets set in the joinscript (Bug 43501).
  • Samba has been updated to version 4.6.1 (Bug 40661, Bug 42045, Bug 43681).
  • univention-samba4 has been adjusted to flush caches during initial install before committing the SYSVOL ACLs (Bug 41319).
  • Samba has been adjusted to avoid problems in case an administrator created a container CN=System somewhere (Bug 31763).
  • The samba4-idmap.py listener module has been improved to initialize the idmap during module resynchronization (Bug 42819).
  • The samba4-idmap.py listener module now flushes the samba gencache at the end of --direct-resync (Bug 41319).
  • univention-samba and univention-samba4 now use the interfaces defined in Univention Configuration Registry (Bug 43073).
  • samba_dnsupdate now avoids adding a _msdcs NS record if the corresponding SOA record is not present (Bug 43291).

§6.11.2. Univention S4 Connector

  • The escaping of LDAP filter expressions in the S4 Connector has been improved (Bug 32086).
  • The generation of filters from Univention Configuration Registry variable connector/s4/mapping/dns/ignorelist has been fixed (Bug 43397).
  • The S4 Connector can now handle large groups if Samba returns ranged results (Bug 41764).

§6.12. Other changes

  • All packages have been updated to no longer depend on deprecated packages and features (Bug 42183).
  • ucslint check for missing quoting in function local variable assignments (Bug 41926).
  • ucslint checks Debian maintainer scripts for wrong comments naming a different maintainer script (Bug 32539).
  • ucslint warns of dependencies on transitional packages (Bug 37203).
  • ucslint checks were added to the build process of some packages (Bug 23837).
  • ucslint skips checking some generated files (Bug 43284).
  • The service portmap was renamed to rpcbind (Bug 36571).
  • The init scripts of all services have been made Linux Standard Base (LSB) compliant to allow insserv to automatically reorder them based on dependencies (Bug 38438). The test for insserv has been remove (Bug 43306).
  • The Univention Configuration Registry variable version/erratalevel gets reset to 0 (Bug 43300).
  • Renaming and moving objects into names containing a comma is now possible (Bug 43332).
  • The generation of the maintenance script to remove obsolete files form a local repository has been fixed: It no longer removes the cryptographic signatures of the updater scripts and dists/ directories required for network installation (Bug 39582). It also uses the correct path to remove obsolete packages (Bug 28048).
  • unbind() methods have been added to the classes univention.uldap and univention.admin.uldap (Bug 37519).
  • The class univention.lib.umc_connection.UMCConnection has been replaced with the new and more flexible class univention.lib.umc.Client (Bug 34498).
  • The following packages have been back-ported and built in order to update to the newer docker version: golang, containerd, golang-1.6, runc, golang-codegangsta-cli, golang-github-coreos-go-systemd, golang-github-docker-go-units, golang-github-opencontainers-specs, golang-github-seccomp-libseccomp-golang, golang-github-vishvananda-netlink, dh-golang, golang-dbus, golang-github-xeipuuv-gojsonschema, golang-testify, golang-github-xeipuuv-gojsonreference, golang-github-xeipuuv-gojsonpointer, golang-github-davecgh-go-spew, golang-github-pmezard-go-difflib, libseccomp, golang-github-vishvananda-netns, golang-objx (Bug 42282).
  • The following packages have been added to the maintained section of the software repository: python-cups, univention-mysql, recode, freetds, xmlrpc-epi, libwebp, uw-imap, firebird2.5 (Bug 42311, Bug 42509, Bug 43481)
  • The package xserver-xorg-input-all does no longer depend on xserver-xorg-input-vmmouse since it is obsolete with the latest kernel changes (Bug 43460).
  • The package python-univention-directory-manager-legacy-ucd-tcs has been removed (Bug 41637).
  • The packages univention-log-collector-server and univention-log-collector-client have been removed from UCS (Bug 41638).
  • During the upgrade to UCS 4.2, it could happen that a restart of the SpamAssassin daemon failed due to old Perl modules. The updated perl package ensures now that the spamassassin package is previously updated (Bug 43534).
  • Some old packages like emacs23 are no longer part of Debian Jessie. Dependencies on such old packages have been updated to their replacements (Bug 43649).
  • Old custom firefox packages have been replaced with the Debian upstream package firefox-esr. During the update to Univention Corporate Server 4.2-0 the old package are automatically replaced (Bug 42322).
  • The time service (TCP port 37) has been disabled and the corresponding UCR variables for the firewall accept rule are not set by default any longer. During update, the UCR variables for the firewall accept rule are unset (Bug 42109).
  • univention-join now uses SNTP for initial time sync (Bug 43987).
  • univention-firewall has been adapted to new iptables rules created by the upgraded docker service (Bug 43707).