UCS 4.3 Release Notes

Release notes for the installation and update of Univention Corporate Server (UCS) 4.3-2

Table of Contents

1. Release Highlights
2. Notes about the update
2.1. Recommended update order for environments with more than one UCS server
2.2. UCS installation DVD only available for 64 bit
3. Preparation of update
4. Postprocessing of the update
5. Notes on selected packages
5.1. Collection of usage statistics
5.2. Scope of security support for WebKit, Konqueror and QtWebKit
5.3. Recommended browsers for the access to Univention Management Console
6. Changelog
6.1. General
6.2. Basic system services
6.2.1. Linux kernel and firmware packages
6.2.2. Univention Configuration Registry Changes to templates and modules
6.3. Domain services
6.3.1. OpenLDAP LDAP schema changes Listener/Notifier domain replication
6.3.2. DNS server
6.4. Univention Management Console
6.4.1. Univention Management Console web interface
6.4.2. Univention Management Console server
6.4.3. Univention App Center
6.4.4. Univention Directory Manager UMC modules and command line interface
6.4.5. Modules for system settings / setup wizard
6.4.6. Software update module
6.4.7. Domain join module
6.4.8. System diagnostic module
6.4.9. Other modules
6.5. Univention base libraries
6.6. Software deployment
6.7. System services
6.7.1. PostgreSQL
6.7.2. Docker
6.7.3. SAML
6.7.4. Dovecot
6.7.5. Postfix
6.7.6. Nagios
6.7.7. Proxy services
6.7.8. SSL
6.8. Virtualization
6.8.1. UCS Virtual Machine Manager (UVMM)
6.9. Services for Windows
6.9.1. Samba
6.9.2. Univention S4 Connector
6.9.3. Univention Active Directory Connection

§Chapter 1. Release Highlights

With Univention Corporate Server 4.3-2, the second point release of Univention Corporate Server (UCS) 4.3 is now available. It provides several feature improvements and extensions, new properties as well as various improvements and bugfixes. Here is an overview of the most important changes:

  • During the upgrade to new UCS release- or patchlevel versions, the Univention Management Console is put into maintenance mode. While the maintenance mode is active, the progress of the update is displayed on a simple web page.

  • Samba has been updated to version 4.7.8. For security reasons, authentication with NTLMv1 is no longer allowed. If there are still old systems or applications in use that absolutely need NTLMv1, this can be reactivated via the Univention Configuration Registry.

  • The installation wizard has been enhanced so that possible problems with domain join and the Internet connection can be identified and possible solutions can be shown before the installation starts.

  • A manually created or customized SAML configuration for a service can now be stored directly in LDAP. This configuration is then replicated to all identity providers involved in single sign-on in the domain.

  • The AD connector has been enhanced with tools to synchronize individual objects or entire subtrees again and to specifically remove rejects.

  • Various security updates have been integrated into UCS 4.3-2, e.g. Apache2, the Linux kernel and Samba4. A complete list is available in Chapter 6.

§Chapter 2. Notes about the update

During the update some services in the domain may not be available temporarily, that is why the update should occur in a maintenance window. It is recommended to test the update in a separate test environment prior to the actual update. The test environment should be identical to the production environment. Depending on the system performance, network connection and the installed software the update will take between 20 minutes and several hours.

§2.1. Recommended update order for environments with more than one UCS server

In environments with more than one UCS system, the update order of the UCS systems must be borne in mind:

The authoritative version of the LDAP directory service is maintained on the master domain controller and replicated to all the remaining LDAP servers of the UCS domain. As changes to the LDAP schema can occur during release updates, the master domain controller must always be the first system to be updated during a release update.

§2.2. UCS installation DVD only available for 64 bit

Starting with UCS 4.0, installation DVD are only provided for the x86 64 bit architecture (amd64). Existing 32 bit UCS 3 systems can still be updated to UCS 4.0 through the online repository or by using update DVD. The 32 bit architecture will be supported over the entire UCS 4 maintenance period.

§Chapter 3. Preparation of update

It must be checked whether sufficient disk space is available. A standard installation requires a minimum of 10 GB of disk space. The update requires approximately 4 GB additional disk space to download and install the packages, depending on the size of the existing installation.

For the update, a login should be performed on the system's local console as user root, and the update should be initiated there. Alternatively, the update can be conducted using Univention Management Console.

Remote updating via SSH is not recommended as this may result in the update procedure being canceled, e.g., if the network connection is interrupted. In consequence, this can affect the system severely. If updating should occur over a network connection nevertheless, it must be verified that the update continues in case of disconnection from the network. This can be achieved, e.g., using the tools screen and at. These tools are installed on all UCS system roles by default.

§Chapter 4. Postprocessing of the update

Following the update, new or updated join scripts need to be executed. This can be done in two ways: Either using the UMC module Domain join or by running the command univention-run-join-scripts as user root.

Subsequently the UCS system needs to be restarted.

§Chapter 5. Notes on selected packages

§5.1. Collection of usage statistics

Anonymous usage statistics on the use of Univention Management Console are collected when using the UCS Core Edition. The modules opened get logged to an instance of the web traffic analysis tool Piwik. This makes it possible for Univention to tailor the development of Univention Management Console better to customer needs and carry out usability improvements.

This logging is only performed when the UCS Core Edition license is used. The license status can be verified via the menu entry License -> License information of the user menu in the upper right corner of Univention Management Console. If UCS Core Edition is listed under License type, this version is in use. When a regular UCS license is used, no usage statistics are collected.

Independent of the license used, the statistics generation can be deactivated by setting the Univention Configuration Registry variable umc/web/piwik to false.

§5.2. Scope of security support for WebKit, Konqueror and QtWebKit

WebKit, Konqueror and QtWebKit are shipped in the maintained branch of the UCS repository, but not covered by security support. WebKit is primarily used for displaying HTML help pages etc. Firefox should be used as web browser.

§5.3. Recommended browsers for the access to Univention Management Console

Univention Management Console uses numerous JavaScript and CSS functions to display the web interface. Cookies need to be permitted in the browser. The following browsers are recommended:

  • Chrome as of version 37

  • Firefox as of version 38

  • Internet Explorer as of version 11

  • Safari and Safari Mobile as of version 9

Users running older browsers may experience display or performance issues.

§Chapter 6. Changelog

Listed are the changes since UCS 4.3-1:

§6.1. General

§6.2. Basic system services

§6.2.1. Linux kernel and firmware packages

§6.2.2. Univention Configuration Registry

  • Relax dpkg trigger execution to noawait when Univention Configuration Registry templates are installed or updated (Bug 47356).

§ Changes to templates and modules

  • The Univention Configuration Registry template for /etc/rsyslog.conf has been fixed. Modules configured by the Univention Configuration Registry variables syslog/input/* are now activated correctly (Bug 47035).
  • Univention Configuration Registry autostart variables are now correctly evaluated across all scopes (Bug 46300).
  • Some configuration values of /etc/ssh/sshd_config were not mapped to Univention Configuration Registry variables (Bug 39704).

§6.3. Domain services

§6.3.1. OpenLDAP

  • Fix regression in erratum 155: the OpenLDAP server fails to start during system setup when updates are already installed during installation (Bug 47452).
  • Some debug message levels in LDAP overlays have been adjusted to more sensible values (Bug 47196).

§ LDAP schema changes

  • A LDAP schema of OX AppSuite is re-registered due to problems in the handling of the Univention App Center's DefaultMasterPackages (Bug 47581).

§ Listener/Notifier domain replication

  • Reconnect to LDAP server in case of an error (Bug 41514).

§6.3.2. DNS server

  • The BIND9 service is now a native systemd service and does not use runsv anymore (Bug 43689).

§6.4. Univention Management Console

§6.4.1. Univention Management Console web interface

  • The language sensitive sorting used in the grid via the Intl.Collator object is now used for other widgets as well (Bug 47195).
  • Fixed a bug where the calendar widget would not display the date (Bug 47201).
  • Some errors were not displayed correctly in the Inform vendor dialogs (Bug 47133).
  • An error in the conversion of SVG to PNG images has been resolved (Bug 47188).

§6.4.2. Univention Management Console server

  • Fix memory leak caused by Python notifier traceback handling (Bug 47114).
  • During a release update, Apache will serve the maintenance page instead of UMC (Bug 37223).
  • Enable bad password lockout policy in UMC (Bug 46978).
  • A problem with the SAML authentification which could lead to the UMC web interface becoming unresponsive has been fixed (Bug 46870).

§6.4.3. Univention App Center

  • The command univention-app logs has been introduced for Docker Apps (Bug 46433).
  • The univention-appcenter-listener-converter has been fixed (Bug 47644).
  • Fix memory leak caused by Python notifier traceback handling (Bug 47114).
  • Docker Apps no longer have a default for the attribute that controls which command is used to start the container. If not given, the command specified during the build of the image will now be used (Bug 42970).
  • The user root is used inside containers to run scripts (Bug 47340).
  • Timezone setup during docker app installations has been fixed (Bug 47373).
  • For processing asynchronous notifications the new service univention-appcenter-listener-converter has been added (Bug 47315).
  • A new Univention Directory Listener module has been added to notify Apps when relevant objects change in LDAP (Bug 47265).
  • Fix finding the wrong version in the App Cache. This issue could result in Apps being unregistered (Bug 47383).
  • Fixed a bug that made the installation of certain Apps impossible when invoked from a remote server (Bug 47158).
  • Certain Apps could not be upgraded when installed on a non-Master system (Bug 47253).
  • Improved cache performance of the App Center (Bug 46821).
  • The command univention-app took every App from every UCS version into consideration. Now non-Docker Apps are excluded when the UCS version of the App and the one of the system do not match (Bug 47187).

§6.4.4. Univention Directory Manager UMC modules and command line interface

  • The property Account is deactivated of an user object was wrongly considered to be empty and resulted in a notification in the UMC (Bug 47199).
  • Ignore case during change of attribute mailPrimaryAddress on user objects (Bug 47415).
  • Add support for DNS NS records (Bug 32626).

§6.4.5. Modules for system settings / setup wizard

  • Warn about already existing hostname when joining the system to the domain (Bug 46045).
  • Raise the required memory for UCS to 1 GB (Bug 45206).
  • Fix memory leak caused by Python notifier traceback handling (Bug 47114).
  • Warn about unreachable repository servers when configuring the system (Bug 47105).
  • Detect potential problems with the domain join when configuring the system (Bug 42022).
  • Improve error messages of join failures (Bug 42366).
  • Clarification what kind of updates are installed on the last page of the Univention System Setup (Bug 45931).

§6.4.6. Software update module

  • During a release update Univention Management Console will no longer be accessible. Instead a minimalistic web page informs about the progress of the update. UMC will be available again as soon as the update finished (Bug 37223).

§6.4.7. Domain join module

  • Exit samba slave PDC join scripts early if the system is not a UCS@school slave (Bug 47234).
  • Fix memory leak caused by Python notifier traceback handling (Bug 47114).
  • Add option to the univention-join tool for checking problems without altering the system (Bug 42022).
  • Improve error messages of join failures (Bug 42366).
  • univention-server-join now checks and reports conflicts in name, role, MAC and IP address to provide better error feedback (Bug 42124).

§6.4.8. System diagnostic module

  • Only show samba-tool dbcheck errors as critical (Bug 46197).

§6.4.9. Other modules

  • Fix UMC crashing on system time change (Bug 44222).

§6.5. Univention base libraries

  • The new Univention Configuration Registry variable ldap/attributeoptions has been added to configure the slapd.conf attributeoptions parameter. The default for attributeoptions has changed from entry- to entry-,lang- (Bug 47246).
  • Some debug message levels in LDAP overlays have been adjusted to more sensible values (Bug 47196).
  • Protect code of getMailFromMailOrUid from execution on module load (Bug 47206).

§6.6. Software deployment

  • Show a warning and allow examination of the updater.log file in UMC if the last release update failed (Bug 47592).
  • The progress of a release update is written to a status file so that the package univention-maintenance-mode may read it to update the progress accordingly (Bug 37223).
  • Code for the deprecated UCS-2.x and UCS-3.x repository layout has been removed (Bug 36719).
  • Network errors while trying to contact the update server do not result in a traceback anymore. Instead, a readable error message is shown (Bug 41536).

§6.7. System services

§6.7.1. PostgreSQL

  • Use deb-systemd-invoke stop "postgresql@$ver-*" to prevent upgrading/removing server packages from stopping other major version clusters when running systemd. (Use deb-systemd-invoke instead of invoke-rc.d; Jessie's invoke-rc.d does not support service patterns.) (Bug 47511).

§6.7.2. Docker

  • During the initial setup by Univention System Setup the package gets always installed inside the chroot environment. systemd is not yet used there, but the legacy SysV init scripts. Its stop action reports an error as the daemon is not running. This aborts the removal of the package, which is done when setting up a Base system (Bug 47194).

§6.7.3. SAML

  • Raw service provider configurations can now be added to Univention Directory Manager saml/serviceprovider objects. The configuration will be replicated to all domain IdP servers. In addition, the configuration option of simplesamlphp LDAP get_attributes is now done in LDAP. The current value set to the Univention Configuration Registry variables is migrated to the updated configuration (Bug 47309).
  • When operating Apache without a separate VirtualHost entry for single sign-on, a rewrite rule in the scope of other configuration rules limited execution of further rewrite rules. This fix restricts the rewrite rule to the single sign-on directory (Bug 47241).

§6.7.4. Dovecot

  • The PAM stack has been fixed to allow the login via username (Bug 47642).

§6.7.5. Postfix

  • The PAM stack has been fixed to allow the login via username (Bug 47642).

§6.7.6. Nagios

  • A Nagios warning for CUPS due to usage of HTTP/1.0 has been fixed (Bug 46698).

§6.7.7. Proxy services

  • Setting the Univention Configuration Registry variable squid/krb5auth/keepalive to off did not have any effect (Bug 47425).

§6.7.8. SSL

  • Update Mozilla certificate authority bundle to version 2.22 (Bug 47480).

§6.8. Virtualization

§6.8.1. UCS Virtual Machine Manager (UVMM)

  • Make CPU-Usage column visibility configurable. The visibility is controlled by the Univention Configuration Registry variable uvmm/umc/showcpuusage (Bug 47268).
  • Snapshots can now be created from the context menu of the grid overview (Bug 41772).
  • The hosts in the dialog Migrate domain are now sorted (Bug 47182).
  • Update to VirtIO driver for Windows to version 0.1.141-1 (Bug 47321).
  • Fix a memory leak preventing the Python garbage collector from freeing connection instances (Bug 47114).

§6.9. Services for Windows

§6.9.1. Samba

  • Update package tevent to version 0.9.36 as required by Samba 4.7.8 (Bug 47428).
  • Adjust default for Univention Configuration Registry variable samba/ntlm/auth (ntlm auth) to ntlmv2-only (Bug 46782).
  • Share options in univention-samba-local-config have been fixed (Bug 46975).
  • Some scripts have been restored, that were deleted by a previous cleanup (Bug 47095).
  • After a server password change restart all services of Samba, not just the AD/DC component (Bug 47638).
  • Two new Univention Configuration Registry variables have been added to give more granular control over the behavior of the SYSVOL synchronization:

    control whether a downstream DC should delete local changes during the synchronization from the upstream DC (only useful in UCS@school with unidirectional synchronization from upstream DC).
    control whether old, redundant gpt.ini files should be deleted after the synchronization to the local SYSVOL directory (Bug 47576).

  • Improved error message for UCS@school slave join (Bug 47388).
  • Continue samba-tool dbcheck --fix even if a modification failed (Bug 45982).

§6.9.2. Univention S4 Connector

  • When objects are renamed in UCS update their DN in the group member mapping caches (Bug 47636).
  • Sync pwdLastSet changes also in case the hashes didn't actually change (Bug 47391).
  • Add support for DNS NS records (Bug 32626).

§6.9.3. Univention Active Directory Connection

  • The connector's AD binary attributes list has been updated (Bug 47025).
  • A regression of Bug 45779 affecting the AD connection wizard has been fixed (Bug 47430).
  • Four new tools have been added: resync_object_from_ad.py, resync_object_from_ucs.py, remove_ad_rejected.py, remove_ucs_rejected.py (Bug 47232).

  • The listener module now restarts the connector if extended attributes are modified (Bug 47049).