Table of Contents
With Univention Corporate Server 4.2-3, the third point release of Univention Corporate Server (UCS) 4.2 is now available. It provides several feature improvements and extensions, new properties as well as various improvements and bugfixes. An overview of the most important changes are:
The UMC system diagnostic module has been extended with a large amount of additional tests. They the administrator to check the system health of the UCS system and the whole domain.
The management system usability and configureability has been expanded. Wizards and dialogs have been redesigned regarding their useability. Additional configuration options for the single sign-on have been added, e.g. the certificate can now be configured.
When joining into an active directory domain, additional checks are now executed. This enables the detection of known issues which are shown to the user along with advice how to fix them.
Various security updates have been integrated into UCS 4.2-3, e.g. OpenLDAP, the Linux kernel, Samba, MySQL and PostgreSQL.
During the update some services in the domain may not be available temporarily, that is why the update should occur in a maintenance window. It is recommended to test the update in a separate test environment prior to the actual update. The test environment should be identical to the production environment. Depending on the system performance, network connection and the installed software the update will take between 20 minutes and several hours.
In environments with more than one UCS system, the update order of the UCS systems must be borne in mind:
The authoritative version of the LDAP directory service is maintained on the master domain controller and replicated to all the remaining LDAP servers of the UCS domain. As changes to the LDAP schema can occur during release updates, the master domain controller must always be the first system to be updated during a release update.
Starting with UCS 4.0, installation DVD are only provided for the x86 64 bit architecture (amd64). Existing 32 bit UCS 3 systems can still be updated to UCS 4.0 through the online repository or by using update DVD. The 32 bit architecture will be supported over the entire UCS 4 maintenance period.
It must be checked whether sufficient disk space is available. A standard installation requires a minimum of 6 GB of disk space. Depending on the scope of the existing installation, the update will require about another 1 GB of disk space for download and installation all packages.
For the update, a login should be performed on the system's local console as user root, and the update should be initiated there.
Alternatively, the update can be conducted using Univention Management Console.
Remote updating via SSH is not recommended as this may result in the update procedure being canceled, e.g., if the network connection is interrupted.
In consequence, this can affect the system severely.
If updating should occur over a network connection nevertheless, it must be verified that the update continues in case of disconnection from the network.
This can be achieved, e.g., using the tools screen and at. These tools are installed on all UCS system roles by default.
Following the update, new or updated join scripts need to be executed.
This can be done in two ways:
Either using the UMC module or by running the command univention-run-join-scripts as user root.
Subsequently the UCS system needs to be restarted.
Anonymous usage statistics on the use of Univention Management Console are collected when using the UCS Core Edition (which is generally used for evaluating UCS). The modules opened are logged in an instance of the web traffic analysis tool Piwik. This makes it possible for Univention to tailor the development of Univention Management Console better to customer needs and carry out usability improvements.
This logging is only performed when the UCS Core Edition license is used. The license status can be verified via the menu entry of the user menu in the upper right corner of Univention Management Console. If is listed under , this version is in use. When a regular UCS license is used, no usage statistics are collected.
Independent of the license used, the statistics generation can be deactivated by setting the Univention Configuration Registry variable umc/web/piwik to false.
WebKit, Konqueror and QtWebKit are shipped in the maintained branch of the UCS repository, but not covered by security support. WebKit is primarily used for displaying HTML help pages etc. Firefox should be used as web browser.
Univention Management Console uses numerous JavaScript and CSS functions to display the web interface. Cookies need to be permitted in the browser. The following browsers are recommended:
Chrome as of version 37
Firefox as of version 38
Internet Explorer as of version 11
Safari and Safari Mobile as of version 9
Users with older browsers may experience display or performance issues.
Listed are the changes since UCS 4.2-2:
All security updates issued for UCS 4.2-2 are included:
build-report.txt was removed from the Debian package univention-web(Bug 45391).
/var/www/univention/ has been disabled (Bug 45394).
max open files soft limit of the UMC server has been raised (Bug 45309).
checkboxes which used the boolean syntax in an extended attribute with a default value of 1 because they were detected as already activated. This behavior has been corrected (Bug 45066).
combobox widgets is shown again when the LDAP size limits are reached (Bug 44905).
Content-Security-Policy did not include https://piwik.univention.de if the Univention Configuration Registry umc/web/piwik had been set to false (Bug 45396).
PasswordFile settings (Bug 45543).
README information before installation (Bug 44002).
zsync fails, the archive is downloaded via an HTTPS request (Bug 45227).
krbtgt, guest or administrator (Bug 44333).
sambaAcctFlags attribute is now correctly set when the locked and deactivated properties are changed at once during modification of user objects (Bug 45287).
univention.admin.modules.update() is now thread safe (Bug 45540).
module has been renamed into obj in the stub methods of simpleHook (Bug 32375).
_domaincontroller_master._tcp SRV record will be replaced with the new one (Bug 43745).
admember.py (Bug 38442).
OrderedSet implementation has been added (Bug 45249).
backup/clean/max_age, backup/clean/min_backups and new function clean_old_backups (Bug 38554).
check_ad_account (Bug 44762).
add and modify of python-ldap are used to better handle SERVER_DOWN conditions.
This was broken since erratum 116 (Bug 45474).
PackageManger now also holds the APT lock to prevent errors in the App Center (Bug 43619).
ucs-sso.$domainname are now configurable via Univention Configuration Registry variables (Bug 40927).
saml/idp/show-errors (Bug 45393).
/var/www/saml/ has been disabled (Bug 45394).
umc/web/sso/enabled to false (Bug 45597).
30univention-nagios-client has to be re-executed or the Nagios service UNIVENTION_PACKAGE_STATUS needs to be added in the computer's Nagios settings in the Directory Management (Bug 40370).
UNIVENTION_SMBD Nagios service failed.
The service plugin has been fixed (Bug 45454).
nscd check has been fixed and should not incorrectly report the unknown program bound to nscd socket error anymore (Bug 45414).
name resolve order can now be set through Univention Configuration Registry variable samba/name/resolve/order (Bug 37946, Bug 36089).
univention-samba-lockedout and univention-samba-unlock to list the samba locked-out and unlock status of users have been added (Bug 35071).
<interfaces/primary> as a keyword for the Univention Configuration Registry variable samba/interfaces has been added.
Now, newly installed Samba 4 systems will set samba/interfaces to lo and the primary interface which is represented via interfaces/primary.
Thus, Samba will by default only listen on those two interfaces.
This can be configured afterwards via Univention Configuration Registry variables samba/interfaces, samba/interfaces/bindonly and samba/register/exclude/interfaces (Bug 35072).
samba/logonscript has been removed (Bug 41057).
univention-samba4-backup (Bug 38554).
Windows 10 default profile (default.V6) in univention-skel (Bug 44895).
postinst (Bug 41849).
/var/lib/samba/sysvol/ are found (Bug 45062).
samba-tool dbcheck --cross-ncs --fix --yes on update if there are inconsistencies.
A backup of /var/lib/samba/private/ is performed and the fix is skipped if the available disk space is too low (Bug 44635).
krbtgt account (and fix if possible) has been added (Bug 44333).
univention-adsearch now accepts multiple attributes in the LDAP filter (Bug 45134).
repository/mirror/recreate_packages has been changed to no, as re-creating the Packages files without the corresponding override files breaks debootstrap (Bug 45185).
nscd (Bug 40371).