UCS 4.2-2 Release Notes

Release notes for the installation and update of Univention Corporate Server (UCS) 4.2-2

Table of Contents

1. Release Highlights
2. Notes about the update
2.1. Recommended update order for environments with more than one UCS server
2.2. UCS installation DVD only available for 64 bit
3. Preparation of update
4. Postprocessing of the update
5. Further notes on selected packages
5.1. Collection of usage statistics
5.2. Scope of security support for WebKit, Konqueror and QtWebKit
5.3. Recommended browsers for the access to Univention Management Console
6. Changelog
6.1. General
6.2. Univention Installer
6.3. Basic system services
6.3.1. Univention Configuration Registry
6.4. Domain services
6.4.1. OpenLDAP LDAP schema changes
6.4.2. DNS server
6.4.3. DHCP server
6.5. Univention Management Console
6.5.1. Univention Management Console web interface
6.5.2. Univention Portal
6.5.3. Univention Management Console server
6.5.4. Univention App Center
6.5.5. Univention Directory Manager UMC modules and command line interface
6.5.6. Modules for system settings / setup wizard
6.5.7. Software update module
6.5.8. Domain join module
6.5.9. Users module
6.5.10. Univention Directory Reports
6.5.11. Process overview module
6.5.12. Policies
6.5.13. Univention Configuration Registry module
6.5.14. Other modules
6.6. Univention base libraries
6.7. System services
6.7.1. SAML
6.7.2. Mail services
6.7.3. Printing services
6.7.4. Nagios
6.7.5. Apache
6.7.6. PAM / Local group cache
6.7.7. NFS
6.8. Virtualization
6.8.1. Univention Virtual Machine Manager (UVMM)
6.9. Container Technologies
6.10. Services for Windows
6.10.1. Samba
6.10.2. Univention AD Takeover
6.10.3. Univention S4 Connector
6.10.4. Univention Active Directory Connection
6.11. Other changes

§Chapter 1. Release Highlights

With Univention Corporate Server 4.2-2, the second point release of Univention Corporate Server (UCS) 4.2 is now available. It provides several feature improvements and extensions, new properties as well as various improvements and bugfixes. An overview of the most important changes are:

  • The portal is now also easily usable in cloud setups. The services installed on UCS are directly accessible without further configuration steps. For this purpose, the portal converts existing links into relative links. For portal entries with multiple links, heuristic procedures are used to determine the best link.

  • The usability of the management system has been improved further. Users and groups can be copied, the error handling has been enhanced in various places and the performance has been increased.

  • Every app provider can now create simple app appliances through the App Provider Portal. App appliances bundle an app with UCS into a directly usable virtual machine. In addition, the integration depth of the apps can be significantly increased by so-called app settings. These can be created by the app provider simply via the provider portal without additional programming knowledge.

  • Various security updates have been integrated into UCS 4.2-2, e.g. OpenLDAP, the Linux kernel, Samba, MySQL and PostgreSQL.

§Chapter 2. Notes about the update

During the update some services in the domain may not be available temporarily, that is why the update should occur in a maintenance window. It is recommended to test the update in a separate test environment prior to the actual update. The test environment should be identical to the production environment. Depending on the system performance, network connection and the installed software the update will take between 20 minutes and several hours.

§2.1. Recommended update order for environments with more than one UCS server

In environments with more than one UCS system, the update order of the UCS systems must be borne in mind:

The authoritative version of the LDAP directory service is maintained on the master domain controller and replicated to all the remaining LDAP servers of the UCS domain. As changes to the LDAP schema can occur during release updates, the master domain controller must always be the first system to be updated during a release update.

§2.2. UCS installation DVD only available for 64 bit

Starting with UCS 4.0, installation DVD are only provided for the x86 64 bit architecture (amd64). Existing 32 bit UCS 3 systems can still be updated to UCS 4.0 through the online repository or by using update DVD. The 32 bit architecture will be supported over the entire UCS 4 maintenance period.

§Chapter 3. Preparation of update

It must be checked whether sufficient disk space is available. A standard installation requires a minimum of 6 GB of disk space. Depending on the scope of the existing installation, the update will require about another 1 GB of disk space for download and installation all packages.

For the update, a login should be performed on the system's local console as user root, and the update should be initiated there. Alternatively, the update can be conducted using Univention Management Console.

Remote updating via SSH is not recommended as this may result in the update procedure being canceled, e.g., if the network connection is interrupted. In consequence, this can affect the system severely. If updating should occur over a network connection nevertheless, it must be verified that the update continues in case of disconnection from the network. This can be achieved, e.g., using the tools screen and at. These tools are installed on all UCS system roles by default.

§Chapter 4. Postprocessing of the update

Following the update, new or updated join scripts need to be executed. This can be done in two ways: Either using the UMC module Domain join or by running the command univention-run-join-scripts as user root.

Subsequently the UCS system needs to be restarted.

§Chapter 5. Further notes on selected packages

§5.1. Collection of usage statistics

Anonymous usage statistics on the use of Univention Management Console are collected when using the UCS Core Edition (which is generally used for evaluating UCS). The modules opened are logged in an instance of the web traffic analysis tool Piwik. This makes it possible for Univention to tailor the development of Univention Management Console better to customer needs and carry out usability improvements.

This logging is only performed when the UCS Core Edition license is used. The license status can be verified via the menu entry License -> License information of the user menu in the upper right corner of Univention Management Console. If UCS Core Edition is listed under License type, this version is in use. When a regular UCS license is used, no usage statistics are collected.

Independent of the license used, the statistics generation can be deactivated by setting the Univention Configuration Registry variable umc/web/piwik to false.

§5.2. Scope of security support for WebKit, Konqueror and QtWebKit

WebKit, Konqueror and QtWebKit are shipped in the maintained branch of the UCS repository, but not covered by security support. WebKit is primarily used for displaying HTML help pages etc. Firefox should be used as web browser.

§5.3. Recommended browsers for the access to Univention Management Console

Univention Management Console uses numerous JavaScript and CSS functions to display the web interface. Cookies need to be permitted in the browser. The following browsers are recommended:

  • Chrome as of version 37

  • Firefox as of version 38

  • Internet Explorer as of version 11

  • Safari and Safari Mobile as of version 9

Users with older browsers may experience display or performance issues.

§Chapter 6. Changelog

Listed are the changes since UCS 4.2-1:

§6.1. General

§6.2. Univention Installer

  • Some profile settings have been adjusted to the new Firefox version for the System Setup after the installation (Bug 45321).

§6.3. Basic system services

§6.3.1. Univention Configuration Registry

  • The sequence : in a Univention Configuration Registry variable key is now prohibited (Bug 25095).

§6.4. Domain services

§6.4.1. OpenLDAP

  • The LDAP overlay module pwd_scheme_kinit has been adapted to return more error information if authentication at the Kerberos server fails (Bug 44912).

§ LDAP schema changes

  • The LDAP attribute univentionUDMPropertyCopyable for extended attributes has been added (Bug 1567).
  • The new attribute univentionUDMPropertyCopyable is now indexed only if the attribute is known to the LDAP server (Bug 44909).

§6.4.2. DNS server

  • The BIND9 name server was not restarted after the automatic password change when using the LDAP backend. This has been fixed (Bug 45090).

§6.4.3. DHCP server

  • The runsv service for the DHCP server is now always started, even when the initial check of the configuration file /etc/dhcp/dhcpd.conf fails. This sometimes happens when BIND and OpenLDAP start too slowly during boot, in which case that is mis-detected as an error in that configuration file (Bug 45065).

§6.5. Univention Management Console

§6.5.1. Univention Management Console web interface

  • The button styling of referenced policy objects has been adapted (Bug 44066).
  • Hidden objects are no longer shown by default in an multi object select widget (Bug 44044).
  • The design of disabled input fields has been improved to be more recognizable (Bug 43402).
  • No duplicated tool tips are shown anymore for the links in the footer of the login page (Bug 44072).
  • A check box to select all entries has been added to widgets with selection choices (Bug 19928).
  • Text in grid cells is now selectable (Bug 44481).
  • A display problem in tables with multiple lines per row has been corrected. Especially DNS zones were affected by this problem (Bug 44431).
  • The design of notifications has been adjusted (Bug 43658).
  • The uninstallation on a base system is now possible (Bug 44894).

§6.5.2. Univention Portal

  • The portal was empty on unjoined systems. Therefore it was not possible to reach UMC for the initial domain join after logging in (Bug 44865).
  • The handling of portal links has been improved to be more robust. Links are now converted to relative links if possible (e.g., on EC2 DC master systems). For multiple links of one portal entry, the best matching link is now being chosen using a heuristic (Bug 44371).

§6.5.3. Univention Management Console server

  • Errors during connecting to the LDAP server are now handled (Bug 39963).
  • Errors during module initialization are now handled (Bug 44670).
  • The SSL security of the UMC server has been strengthened by disabling SSLv3 and making the TLS Ciphers configurable via Univention Configuration Registry (Bug 40998).
  • The build utilities have been adjusted to enhance the creation of translation packages (Bug 44841).
  • The permissions of the log file /var/log/univention/ec2.log have been fixed (Bug 44803).
  • The keywords for the module search on the UMC overview page are now localized (Bug 34960).
  • A crash of the UMC server during uninstallation of a module is prevented (Bug 38375).
  • The UMC web server falls back to English language in case no language is provided in HTTP request, which is the case for clients using UCS 4.1. This makes it possible to join UCS 4.1 Appliances into UCS 4.2 domains (Bug 44719).
  • Using UMC was not possible with multiple docker instances on the system as the browser then sends multiple cookies which caused that the session could not be detected (Bug 45043).
  • A memory leak in the UMC server has been corrected which caused the UMC web server to crash with [Errno24] Too many open files errors (Bug 44965).
  • The uninstallation on a base system is now possible (Bug 44894).
  • Since erratum 139 the Univention Configuration Registry variable umc/module/timeout was not evaluated anymore which caused that the connection to module processes was closed after 30 seconds bug (Bug 45307).

§6.5.4. Univention App Center

  • The initial archives for the App Center meta data have been updated. This also adds Self Service to the software selection during system setup (Bug 44240).
  • Apps may now ship a file describing settings that can be applied dynamically (Bug 44872).
  • The host listing for an installed app incorrectly warned about limited manageability in some cases (Bug 44036).
  • A crash during creation of translation files when the name or description of an app is not set has been fixed (Bug 43896).
  • Docker Apps are now stopped before backing up their data (Bug 44763).
  • Fixed an issue while detecting the installation status during package updates (Bug 43079).
  • Improved speed of download routines for App meta data (Bug 43847).
  • Use docker cp to copy files into the container (Bug 44814).
  • Fixed univention-app update zsync issue (Bug 45180).

§6.5.5. Univention Directory Manager UMC modules and command line interface

  • Group and user objects can now be copied in UMC (Bug 1567).
  • The :umlauts modifier in the template mechanism of e.g. user templates now normalizes all characters (Bug 44370).
  • When creating policy objects the DN of the created object is returned (Bug 43150).
  • The LDAP base could not be modified via UMC anymore since erratum 39. This has been fixed (Bug 43395).
  • An error in the UDM python interface has been fixed which caused that default values containing template variables (e.g. the mail property of a user) were not reset resulting in wrong default values if multiple objects were created at once (Bug 41092).
  • It is prevented to move or remove the own object now (Bug 42526).
  • It is now checked if the create, modify and remove operation is allowed before executing the action (Bug 39253).
  • Objects of type Settings: Service were not editable through the LDAP directory module. This has been fixed (Bug 30214).
  • An error during creation of existing objects has been fixed when policies should be referenced (Bug 38856).
  • The descriptions of properties belonging to print quota policies have been enhanced (Bug 39862).
  • The Span both columns option for extended attributes is functioning again (Bug 40487).
  • An error is prevented when trying to attach an unknown object class to an object (Bug 41802).
  • It is now possible to hide existing properties in the layout via an extended attribute (Bug 43373).
  • More descriptions have been added to the windows settings of user objects (Bug 40964).
  • The UDM CLI now shows a readable error message when the LDAP server is not available (Bug 43975).
  • The home share and home share path properties are now correctly displayed (Bug 37611).
  • It is now possible to remove values from Univention Configuration Registry policies via CLI (Bug 43562).
  • The udm --help output has been cleaned up to improve readability (Bug 31768).
  • The --position argument has been added to the --help output of the udm list command (Bug 29501).
  • The layout of container objects has been adapted so that the configuration options for default containers are visible on the General tab (Bug 33652).
  • The license evaluation now respects renamed default user and group names (Bug 33891).
  • Searching for the printmodel property in printer driver lists is working again (Bug 35925).
  • The DN of objects removed with udm remove --filter is now displayed (Bug 37285).
  • Legacy and unused code has been removed (Bug 29929).
  • The ObjectFlag syntax now allows the value synced (Bug 37676).
  • The syntax check for udm search filter has been improved (Bug 34276).
  • The performance of search filters for user objects has been improved (Bug 28633).
  • The output from the list command of the UDM CLI is now sorted (Bug 34180).
  • Legacy code related to custom attributes has been removed (Bug 41556).
  • The listener module for handling UDM extensions now removes old python files when the file was renamed (Bug 42862).
  • A programmatic error when creating container objects has been fixed (Bug 43396).
  • Error messages now contain more details in case of errors with invalid LDAP DN syntax (Bug 42403).
  • The remove operation of the UDM CLI now allows the option --ignore_not_exists (Bug 40737).
  • A package dependency to python-ipaddr has been added (Bug 28054).
  • Overwritten syntax classes for properties which are shown in a wizard for creating objects can now use ComboBox widgets (Bug 44847).
  • The options of objects are now sorted (Bug 41015).
  • A crash is prevented if a default container contained special characters like , (Bug 42423).
  • A possible crash when loading widget definitions for UDM properties is now prevented (Bug 42466).
  • Some spelling mistakes in the UDM CLI Client have been corrected (Bug 31927).
  • Unused legacy code has been removed (Bug 43299).
  • Legacy code regarding the ordering number of extended attributes has been cleaned up (Bug 32781).
  • A lookup function for the users/self and users/passwd modules have been added for convenience (Bug 37623).
  • The error handling during adding hosts to nagios services has been improved (Bug 38362).
  • The temporary locking objects are removed when an error happens during object creation. This prevents that one needs to save an object twice to create it after resolving the error (Bug 41294).
  • It is currently possible to supply a wrong object type when modifying objects. This erratum prepares for preventing this by adding more error messages to the log files instead (Bug 30368).
  • Passing univention.uldap.access() instances to UDM objects is handled more gracefully (Bug 41368).
  • The detection of DNS TXT and Host records has been improved to not detect objects as the wrong type (Bug 40839).
  • The description for the "options" property of extended attributes has been improved (Bug 39201).
  • An LDAP error is prevented when changing the user password and the "Change password on next login" option at the same time (Bug 42015).
  • Unused legacy code regarding container/dc objects has been removed (Bug 24374).
  • Some undefined python references have been fixed (Bug 36631).
  • Removing the IP range from a network object is possible again (Bug 35074).
  • The hosts property has been added to the settings/umc_operationset (Bug 25187).
  • The description property of settings/umc_operationset is now a required field (Bug 25189).
  • It was not possible to automatically get the next free IP address for a newly created computer object when the license was exceeded (Bug 30351).
  • The group members of printer groups with multiple spool hosts are now detected correctly again (Bug 29707).
  • The validation when removing and modifying printers and printer groups has been corrected (Bug 40765).
  • The Spool Host label of printers and printer groups has been renamed into Print server (Bug 23888).
  • The e-mail property of a user is no longer copyable. The default values for empty properties are now properly evaluated after copying an object (Bug 44908).
  • Support lookup of specific attributes via PostReadControl (RFC 4527) (Bug 43628).
  • The tab that is opened when editing a user in a new tab can now be closed (Bug 40486).
  • LDAP attributes which are required by their schema are now marked as required in UMC (Bug 24601).
  • Some performance optimizations during modification of user and group objects has been done (Bug 37081).
  • The next free sambaRID is used when only a S4 Connector with IPv6 is part of the domain (Bug 25058).
  • The error handling during creation of network objects with an invalid netmask has been improved (Bug 24828).
  • A regression in univention.admin.objects.get() has been fixed which caused that the Univention Corporate Client UMC configuration was not possible anymore (Bug 45116).
  • The mapping of the sambaWriteList property of shares has been corrected to not raise an exception if the value is not set (Bug 45207).

§6.5.6. Modules for system settings / setup wizard

  • It is possible again to install UCS systems without joining directly into any domain when no DNS server is configured during set up (Bug 43402).
  • Adapt univention-app-appliance to changes in UCS 4.2 branding. The package univention-system-activation has been updated to work with UCS 4.2 App Appliances (Bug 44523).
  • The license upload step was displayed first even if no license mail was sent (Bug 44910).
  • A crash during startup of the settings UMC modules has been fixed which occurred if certain values were not correctly encoded (Bug 28070).
  • The host name of a system which joins into an Active Directory domain is now restricted to 13 characters in the initial system configuration (Bug 40212).
  • The network configuration does not list TUN/TAP interfaces as configurable Ethernet interfaces anymore (Bug 33132).
  • The naming restrictions for bridge and bonding network interfaces have been adjusted so that is is not required to have any number in the name anymore (Bug 33131).
  • The error handling when executing system setup scripts has been improved (Bug 32817).
  • The startup of the welcome screen after the setup in appliance mode has been fixed (Bug 44061).
  • The license check during an app appliance join has been fixed (Bug 44995).
  • The univention-system-setup package now depends on gettext-base (Bug 38342).
  • A display error when configuring multiple network interfaces has been corrected (Bug 44194).
  • Fixed a typo on the appliance first steps overlay (Bug 45084).
  • The error handling during the initial system configuration has been improved (Bug 43152).
  • The handling of applying network settings in the setup wizard has been improved to be more robust against network timeouts (Bug 45280).

§6.5.7. Software update module

  • The temporary APT sources.list used for release updates is now removed if any of the pre-update scripts signals an abort condition (Bug 44821).
  • The check for QEMU virtual machines has been removed from the pre-update script (Bug 44842).
  • App updates that merely update software packages inside the App's Docker container are not displayed anymore as these updates are currently not supported through the App Center module (Bug 44623).

§6.5.8. Domain join module

§6.5.9. Users module

  • A warning is now shown if a user name is too long to be usable for a login on Windows clients (Bug 34973).

§6.5.10. Univention Directory Reports

  • The generation of PDF reports has been optimized: They are now generated with the RML language instead of LaTeX. LaTeX reports are still supported by installing the new package univention-directory-reports-latex (Bug 39239).
  • The PDF user report did not include all groups of the user (Bug 45231).

§6.5.11. Process overview module

  • The error handling has been improved when a process stops during the calculation of the CPU consumption of a process (Bug 38738).

§6.5.12. Policies

  • The join script 20univention-directory-policy now aborts on errors (Bug 40247).

§6.5.13. Univention Configuration Registry module

  • The validation of Univention Configuration Registry variable names has been improved (Bug 25095).

§6.5.14. Other modules

  • The start/stop/restart actions are prohibited now if the service is already in that state (Bug 36563).
  • The error handling during starting/stopping/restarting services has been improved: Upon error the service status is shown (Bug 36562).
  • A non-working proxy server is now classified as an critical error in the diagnostic module (Bug 36750).
  • An unset gateway causes an error message to be shown in the diagnostic module (Bug 42155).

§6.6. Univention base libraries

  • Legacy and unused code has been removed in univention-python (Bug 41234).

§6.7. System services

§6.7.1. SAML

  • Optimizations in the UDM module for SAML service providers have been done (Bug 41695).
  • The error handling during the SAML configuration of the UMC service provider has been improved (Bug 44966).
  • The univention-saml Apache site is now disabled upon package removal (Bug 41500).
  • The path to the packages unjoin script has been fixed (Bug 44815).
  • crudesaml has been updated to version 1.8. This corrects a segmentation fault in slapd which occurs during SAML authentication at the UMC server if the certificates are expired (Bug 45042).
  • A segmentation fault in pam-saml has been corrected, which caused the UMC server to crash in certain situations during loading of identity provider metadata (Bug 39355).

§6.7.2. Mail services

  • A regression has been fixed which was introduced in erratum 36. The regression prevented the delivery of mails to shared folders in Cyrus (Bug 44948).
  • The use of UDM utility functions has been corrected in the listener script dovecot_shared_folder.py (Bug 41368).

§6.7.3. Printing services

  • Old code from UCS 2.4 has been removed from the package univention-printserver (Bug 39419).

§6.7.4. Nagios

  • Fixed a nscd Nagios warning on systems with docker apps installed. The check now inspects the processes on the nscd socket instead of just counting the number of running nscd processes (Bug 42812).
  • Fix UNIVENTION_NSCD service (Bug 45186).

§6.7.5. Apache

  • The uninstallation on a base system is now possible (Bug 44894).

§6.7.6. PAM / Local group cache

  • UCS specific patches have been re-applied which got dropped for UCS 4.2-0. This includes the patch for Bug 29393, which allows configuring the memory for parsing large groups through the Univention Configuration Registry variable pamaccess/maxent (Bug 45039).

§6.7.7. NFS

  • Remove remaining HA support (Bug 32272).
  • Remove port 4660 from firewall (Bug 33254).
  • Start NFS server for first NFS share (Bug 45101).
  • Make RPCNFSDCOUNT configurable (Bug 25446).

§6.8. Virtualization

§6.8.1. Univention Virtual Machine Manager (UVMM)

  • It is now possible to open virtual machines in a new tab via the UMC module (Bug 24721).
  • The MAC address in the network interfaces view of a virtual machine can be selected again (Bug 44481).

§6.9. Container Technologies

  • UDM objects with the object flags synced and docker can now be deleted (Bug 43846).
  • The script univention-fix-ucr-dns is installed in Docker containers too (Bug 45040).
  • Disable update check on boot in container mode (Bug 45103).
  • The docker service is now restarted right after installation to ensure the correct storage backend is used immediately (Bug 44986).
  • Always apply docker iptables rules (even if the univention-firewall is disabled) in Univention firewall. Can be configured with the Univention Configuration Registry variable security/packetfilter/docker/disabled (Bug 44829).

§6.10. Services for Windows

§6.10.1. Samba

  • Skip re-provision of Samba on DC Master and DC Backup if the system already provides the S4-Connector service and sam.ldb and secrets.ldb look functional (Bug 44787).
  • Fixed an error in univention-samba4.prerm (Bug 44936).
  • Fixed en error message due to missing phpldapadmin-config.php (Bug 33235).

§6.10.2. Univention AD Takeover

  • Unused legacy code has been removed (Bug 43299).

§6.10.3. Univention S4 Connector

  • Fix CNAME and PTR record deletion in the S4-Connector (Bug 43072).
  • Some objects were identified as the wrong object type. The identification handling has been fixed (Bug 44976).
  • It is possible to start the S4 Connector service process in foreground (Bug 45001).
  • During sync_to_ucs remember entryCSN of msGPO changes to be able to identify and skip them later in sync_from_ucs (Bug 43628).

§6.10.4. Univention Active Directory Connection

  • The error handling in the Active Directory setup has been improved during looking up the _domaincontroller_master._tcp SRV record in case no DNS servers are available (Bug 44849).

§6.11. Other changes

  • The package python-trml2pdf has been moved to maintained (Bug 39239).
  • Configure systemd-journald.service for time limited log retention (Bug 44234).
  • The packages univention-system-activation, phantomjs and univention-app-appliance are now maintained (Bug 44990).
  • The transition from bootsplash to welcome screen is now flicker free. Improved systemd integration for the welcome screen. Crashes and graphic errors on VirtualBox and VMware have been fixed. Always use framebuffer driver to ensure a working welcome screen (Bug 44061).
  • The welcome screen design has been improved and adapted to the UCS 4.2 design style. The FQDN has been removed from the screen (Bug 45031, Bug 45025).
  • Fix for hard to read status messages during boot because they were overlaid by the appliance logo (Bug 44952).
  • Fixed calling univention-fix-ucr-dns when not default gateway is set (Bug 45120).
  • The package libjsoncpp is now maintained as a new dependency of firefox-esr (Bug 44858).
  • The packages jquery-goodies and wxwidgets3.0 are now maintained as a new dependency of erlang (Bug 45216).