Table of Contents
With Univention Corporate Server 4.3-2, the second point release of Univention Corporate Server (UCS) 4.3 is now available. It provides several feature improvements and extensions, new properties as well as various improvements and bugfixes. Here is an overview of the most important changes:
During the upgrade to new UCS release- or patchlevel versions, the Univention Management Console is put into maintenance mode. While the maintenance mode is active, the progress of the update is displayed on a simple web page.
Samba has been updated to version 4.7.8. For security reasons, authentication with NTLMv1 is no longer allowed. If there are still old systems or applications in use that absolutely need NTLMv1, this can be reactivated via the Univention Configuration Registry.
The installation wizard has been enhanced so that possible problems with domain join and the Internet connection can be identified and possible solutions can be shown before the installation starts.
A manually created or customized SAML configuration for a service can now be stored directly in LDAP. This configuration is then replicated to all identity providers involved in single sign-on in the domain.
The AD connector has been enhanced with tools to synchronize individual objects or entire subtrees again and to specifically remove rejects.
Various security updates have been integrated into UCS 4.3-2, e.g. Apache2, the Linux kernel and Samba4. A complete list is available in Chapter 6.
During the update some services in the domain may not be available temporarily, that is why the update should occur in a maintenance window. It is recommended to test the update in a separate test environment prior to the actual update. The test environment should be identical to the production environment. Depending on the system performance, network connection and the installed software the update will take between 20 minutes and several hours.
In environments with more than one UCS system, the update order of the UCS systems must be borne in mind:
The authoritative version of the LDAP directory service is maintained on the master domain controller and replicated to all the remaining LDAP servers of the UCS domain. As changes to the LDAP schema can occur during release updates, the master domain controller must always be the first system to be updated during a release update.
Starting with UCS 4.0, installation DVD are only provided for the x86 64 bit architecture (amd64). Existing 32 bit UCS 3 systems can still be updated to UCS 4.0 through the online repository or by using update DVD. The 32 bit architecture will be supported over the entire UCS 4 maintenance period.
It must be checked whether sufficient disk space is available. A standard installation requires a minimum of 10 GB of disk space. The update requires approximately 4 GB additional disk space to download and install the packages, depending on the size of the existing installation.
For the update, a login should be performed on the system's local console as user root, and the update should be initiated there.
Alternatively, the update can be conducted using Univention Management Console.
Remote updating via SSH is not recommended as this may result in the update procedure being canceled, e.g., if the network connection is interrupted.
In consequence, this can affect the system severely.
If updating should occur over a network connection nevertheless, it must be verified that the update continues in case of disconnection from the network.
This can be achieved, e.g., using the tools screen and at. These tools are installed on all UCS system roles by default.
Following the update, new or updated join scripts need to be executed.
This can be done in two ways:
Either using the UMC module or by running the command
univention-run-join-scripts as user root.
Subsequently the UCS system needs to be restarted.
Anonymous usage statistics on the use of Univention Management Console are collected when using the UCS Core Edition. The modules opened get logged to an instance of the web traffic analysis tool Piwik. This makes it possible for Univention to tailor the development of Univention Management Console better to customer needs and carry out usability improvements.
This logging is only performed when the UCS Core Edition license is used. The license status can be verified via the menu entry of the user menu in the upper right corner of Univention Management Console. If is listed under , this version is in use. When a regular UCS license is used, no usage statistics are collected.
Independent of the license used, the statistics generation can be deactivated by setting the Univention Configuration Registry variable umc/web/piwik to false.
WebKit, Konqueror and QtWebKit are shipped in the maintained branch of the UCS repository, but not covered by security support. WebKit is primarily used for displaying HTML help pages etc. Firefox should be used as web browser.
Univention Management Console uses numerous JavaScript and CSS functions to display the web interface. Cookies need to be permitted in the browser. The following browsers are recommended:
Chrome as of version 37
Firefox as of version 38
Internet Explorer as of version 11
Safari and Safari Mobile as of version 9
Users running older browsers may experience display or performance issues.
Listed are the changes since UCS 4.3-1:
All security updates issued for UCS 4.3-1 are included:
The following updated packages from Debian Stretch 9.5 are included (Bug 47659): 2ping, abiword, adminer, ant, auto-complete-el, awffull, ax25-tools, blender, blktrace, bouncycastle, camo, cffi, cgit, check-postgres, chromium-browser, clustershell, debian-installer, debian-installer-netboot-images, debian-security-support, dehydrated, disc-cover, django-xmlrpc, dosbox, dpdk, dput-ng, elastix, email2trac, faker, fastkml, ganeti, git-annex, glx-alternatives, gosa, gridengine, insserv, jdresolve, jetty9, kamailio, keystone, lava-server, libb64, libdate-holidays-de-perl, libextractor, liblouis, libosmium, llvm-toolchain-4.0, local-apt-repository, loook, mailman, miniupnpd, mutt, network-manager-vpnc, nss-pam-ldapd, nvidia-graphics-drivers, obfsproxy, openstack-debian-images, php-horde-image, piglit, plexus-archiver, psad, pysurfer, python-cluster, python-pyorick, python-scruffy, r-cran-mi, redis, ruby-rack-protection, ruby-sprockets, rustc, salt, showq, slurm-llnl, source-highlight, spip, starplot, strongswan, sus, symfony, tclreadline, thefuck, thunderbird, tinyproxy, tlslite-ng, tolua, tomcat8, unison, variety, vim-syntastic, wordpress, xen, xrdp, znc
dpkg trigger execution to noawait when Univention Configuration Registry templates are installed or updated (Bug 47356).
/etc/rsyslog.conf has been fixed.
Modules configured by the Univention Configuration Registry variables syslog/input/* are now activated correctly (Bug 47035).
autostart variables are now correctly evaluated across all scopes (Bug 46300).
/etc/ssh/sshd_config were not mapped to Univention Configuration Registry variables (Bug 39704).
Intl.Collator object is now used for other widgets as well (Bug 47195).
univention-app logs has been introduced for Docker Apps (Bug 46433).
univention-appcenter-listener-converter has been fixed (Bug 47644).
root is used inside containers to run scripts (Bug 47340).
univention-app took every App from every UCS version into consideration.
Now non-Docker Apps are excluded when the UCS version of the App and the one of the system do not match (Bug 47187).
univention-join tool for checking problems without altering the system (Bug 42022).
univention-server-join now checks and reports conflicts in name, role, MAC and IP address to provide better error feedback (Bug 42124).
ldap/attributeoptions has been added to configure the slapd.conf attributeoptions parameter.
The default for attributeoptions has changed from entry- to entry-,lang- (Bug 47246).
getMailFromMailOrUid from execution on module load (Bug 47206).
updater.log file in UMC if the last release update failed (Bug 47592).
deb-systemd-invoke stop "postgresql@$ver-*" to prevent upgrading/removing server packages from stopping other major version clusters when running systemd.
(Use deb-systemd-invoke instead of invoke-rc.d; Jessie's invoke-rc.d does not support service patterns.) (Bug 47511).
chroot environment.
systemd is not yet used there, but the legacy SysV init scripts.
Its stop action reports an error as the daemon is not running.
This aborts the removal of the package, which is done when setting up a Base system (Bug 47194).
saml/serviceprovider objects.
The configuration will be replicated to all domain IdP servers.
In addition, the configuration option of simplesamlphp LDAP get_attributes is now done in LDAP.
The current value set to the Univention Configuration Registry variables is migrated to the updated configuration (Bug 47309).
uvmm/umc/showcpuusage (Bug 47268).
samba/ntlm/auth (ntlm auth) to ntlmv2-only (Bug 46782).
Two new Univention Configuration Registry variables have been added to give more granular control over the behavior of the SYSVOL synchronization:
samba4/sysvol/sync/from_upstream/deletesamba4/sysvol/sync/fix_gpt_inigpt.ini files should be deleted after the synchronization to the local SYSVOL directory (Bug 47576).
samba-tool dbcheck --fix even if a modification failed (Bug 45982).
Four new tools have been added:
resync_object_from_ad.py, resync_object_from_ucs.py, remove_ad_rejected.py, remove_ucs_rejected.py
(Bug 47232).