Table of Contents
With Univention Corporate Server 4.4-0, the fourth minor release of Univention Corporate Server (UCS) 4 is now available. It provides several feature improvements and extensions, new properties as well as various improvements and bugfixes. Here is an overview of the most important changes:
With this release the new app Admin Diary is available, with which administrative events of all UCS instances of a domain can be viewed and evaluated centrally. Changes to users, groups or other objects in the directory service can be tracked just as easily as updates to servers or (de-)installations of apps.
The Admin Diary is delivered as two components: a backend for data storage in an SQL database and a frontend for integration into the UMC. Recording of events is part of UCS 4.4 and is automatically activated when the backend is installed.
The self-service app has been enhanced in two areas:
The portal has been extended to forward users directly to the login page and to display information texts if the portal is empty. The rendering has been optimized and is now customizable via CSS. Furthermore, the portal now has an improved permission management, which allows more access protection on the server side, which forms the basis for future enhancements.
The RADIUS app has been unified by merging the implementations from UCS@school and the UCS app. As part of the implementation, the exchange of Shared Secrets, e.g. with WiFi access points, has been simplified: The access point configuration can now be done using the UMC computer module.
Samba has been updated to version 4.10 RC2, which includes numerous improvements.
With this version, trust settings between UCS and Microsoft Active Directory domains can be configured. This makes it possible, for example, for users administered in UCS to gain access to services operated in Microsoft domains.
Furthermore Samba now supports Fine Grained Password Policies, with which it is possible to define different and detailed password policies within the Microsoft Active Directory or Kerberos domain.
The user experience in the Univention Management Console has been improved in many ways. These include a clearer display of input elements, better handling of long result lists and a more efficient display on small displays.
The settings for a user's access to installed apps can now be managed on a central tab on the user object. This simplifies both the administration of UCS and the integration by App Providers.
For App Providers Install Permissions are a new feature in the App Center: They allow to specify for each version whether the App requires a contractual relationship between user and provider for installation. The App Center thus better supports corresponding business models of the app providers and users can better recognize which versions of an app are available.
UCS 4.4-0 is based on the Debian release 9.8 released in February. A complete list of security and package updates is available in Chapter 6.
During the update some services in the domain may not be available temporarily, that is why the update should occur in a maintenance window. It is recommended to test the update in a separate test environment prior to the actual update. The test environment should be identical to the production environment. Depending on the system performance, network connection and the installed software the update will take between 20 minutes and several hours.
In environments with more than one UCS system, the update order of the UCS systems must be borne in mind:
The authoritative version of the LDAP directory service is maintained on the master domain controller and replicated to all the remaining LDAP servers of the UCS domain. As changes to the LDAP schema can occur during release updates, the master domain controller must always be the first system to be updated during a release update.
Starting with UCS 4.0, installation DVD are only provided for the x86 64 bit architecture (amd64). Existing 32 bit UCS 3 systems can still be updated to UCS 4.0 through the online repository or by using update DVD. The 32 bit architecture will be supported over the entire UCS 4 maintenance period.
It must be checked whether sufficient disk space is available. A standard installation requires a minimum of 10 GB of disk space. The update requires approximately 4 GB additional disk space to download and install the packages, depending on the size of the existing installation.
For the update, a login should be performed on the system's local console as user root, and the update should be initiated there.
Alternatively, the update can be conducted using Univention Management Console.
Remote updating via SSH is not recommended as this may result in the update procedure being canceled, e.g., if the network connection is interrupted.
In consequence, this can affect the system severely.
If updating should occur over a network connection nevertheless, it must be verified that the update continues in case of disconnection from the network.
This can be achieved, e.g., using the tools screen and at. These tools are installed on all UCS system roles by default.
Univention provides a script that checks for problems which would prevent the successful update of the system. Prior to the update, this script can be downloaded and executed on the UCS system.
# download
curl -OOs http://updates.software-univention.de/download/univention-update-checks/pre-update-checks-4.4{,.gpg}
# run script
gpgv --keyring /usr/share/keyrings/univention-archive-key-ucs-4x.gpg \
pre-update-checks-4.4.gpg pre-update-checks-4.4 && bash pre-update-checks-4.4
...
Starting pre-update checks ...
Checking app_appliance ... OK
Checking block_update_of_NT_DC ... OK
Checking cyrus_integration ... OK
Checking disk_space ... OK
Checking hold_packages ... OK
Checking ldap_connection ... OK
Checking ldap_schema ... OK
...
Following the update, new or updated join scripts need to be executed.
This can be done in two ways:
Either using the UMC module or by running the command
univention-run-join-scripts as user root.
Subsequently the UCS system needs to be restarted.
Due to a design flaw in the Univention Directory Notifier network protocol version 2 any user can retrieve information about changes to the LDAP directory.
A new protocol version 3 was implemented with UCS-4.3-3 erratum 427.
For backward compatibility with old UCS systems the Univention Directory Notifier still provided version 2 by default.
For new installations starting with UCS-4.4 only version 3 is enabled by default.
Protocol version 2 can be re-enabled by changing the Univention Configuration Registry variable notifier/protocol/version to 2 and restarting the Univention Directory Notifier.
Anonymous usage statistics on the use of Univention Management Console are collected when using the UCS Core Edition. The modules opened get logged to an instance of the web traffic analysis tool Piwik. This makes it possible for Univention to tailor the development of Univention Management Console better to customer needs and carry out usability improvements.
This logging is only performed when the UCS Core Edition license is used. The license status can be verified via the menu entry of the user menu in the upper right corner of Univention Management Console. If is listed under , this version is in use. When a regular UCS license is used, no usage statistics are collected.
Independent of the license used, the statistics generation can be deactivated by setting the Univention Configuration Registry variable umc/web/piwik to false.
WebKit, Konqueror and QtWebKit are shipped in the maintained branch of the UCS repository, but not covered by security support. WebKit is primarily used for displaying HTML help pages etc. Firefox should be used as web browser.
Univention Management Console uses numerous JavaScript and CSS functions to display the web interface. Cookies need to be permitted in the browser. The following browsers are recommended:
Chrome as of version 71
Firefox as of version 60
Safari and Safari Mobile as of version 12
Microsoft Edge as of version 18
As of this release Internet Explorer is not supported by Univention Management Console anymore.
Users running older browsers may experience display or performance issues.
Listed are the changes since UCS 4.3-3:
All security updates issued since UCS 4.3-3 are included:
The following updated packages from Debian 9.8 are included (Bug 48332): ansible, arc, astroml-addons, base-files, c3p0, ca-certificates-java, chkrootkit, chromium, compactheader, coturn, courier, debian-edu-config, debian-installer-netboot-images, debian-installer, debian-security-support, dnspython, drupal7, egg, erlang, espeakup, flatpak, ganeti-os-noop, glx-alternatives, gnulib, gnupg2, golang-1.7, golang-1.8, graphite-api, grokmirror, ibus, icinga2, ikiwiki, isort, jdupes, kmodpy, libapache-mod-jk, libb2, libdatetime-timezone-perl, libemail-address-list-perl, libextractor, libgpod, libssh, libu2f-host, linux-igd, lttng-modules, mistral, monkeysign, mosquitto, mpqc, netatalk, nvidia-graphics-drivers, nvidia-modprobe, nvidia-persistenced, nvidia-settings, nvidia-xconfig, openni2, openvpn, parsedatetime, pdns, pdns-recursor, photocollage, postfix, postgresql-9.6, postgrey, pylint-django, python-acme, python-arpy, python-certbot-apache, python-certbot-nginx, python-certbot, python-hypothesis, python-josepy, pyzo, r-cran-readxl, rssh, rtkit, ruby-loofah, ruby-rack, ruby-sanitize, sl-modem, sogo-connector, ssh-agent-filter, supercollider, sympa, thunderbird, tmpreaper, twitter-bootstrap3, tzdata, uglifyjs, vm, vulture, wicd, wordpress, wvstreams, xapian-core, xen, xkeycaps, yosys, z3
The following packages have been moved to the maintained repository of UCS: fail2ban (Bug 47566), libmaxminddb (Bug 48409)
debian/changelog files have been updated to the machine-readable DEP-5 format.
The copyright of all packages has been extended to 2019 (Bug 28499):
univention-run-diagnostic-checks which can be used to execute the diagnostic checks (Bug 47650).
cn=monitor backend for statistical information.
To activate this, set Univention Configuration Registry variable ldap/monitor to true and restart the LDAP server service (slapd) (Bug 41213).
cn=translog database for transaction log (Bug 48427).
ldap_extension is performed on backup domain controller and slave domain controller systems to correct possible inconsistencies in LDAP ACLs (Bug 48530).
cn=config backend, accessible via ldapi:/// only (Bug 43515).
die() function to ldap.sh (Bug 47424).
ldap-backup cron job (Bug 48014).
mailinglist_name was integrated into syntax.py (Bug 48383).
univention-repository-addpackage, univention-repository-delpackage and univention-repository-merge are deprecated and are removed with UCS-4.4 (Bug 29505).
dists/ are now also mirrored.
This is required for the PXE network installer (Bug 46600).
update/debug/level for changing the debug level of the UCS updater (Bug 47913).
postmirror.sh file is no longer displayed (Bug 27761).
preup.sh and postup.sh
have been adapted to the needs of UCS 4.4 (Bug 48808).
univention-repository-create from DVD (Bug 48910).
univention-repository-create now checks if univention-debmirror is installed before installing it (Bug 48151).
.conf files in the directory /etc/apache2/sso-vhost.conf.d/ (Bug 48348).
self-service/ldap_attributes
and self-service/udm_attributes (Bug 48447, Bug 48710)
clients.conf is not converted and can still be used to configure clients manually (Bug 25935).
Switch to Python passlib for DES encryption (Bug 48460).
Move clients.conf.example into the right folder (Bug 46561).
Improved logging for univention-radius-ntlm-auth which is used by FreeRADIUS to authenticate users.
Log entries are written to radius_ntlm_auth.log.
The log level can be adjusted with the Univention Configuration Registry variable freeradius/auth/helper/ntlm/debug.
Internal changes to enable the UCS@school RADIUS implementation to build upon the univention-radius package (Bug 46018).
uvmm/overcommit/reserved (Bug 48901).
samba-tool ntacl sysvolcheck didn't map owner LA to DA properly while checking, leading to irritating, unnecessary error messages (Bug 44282).
4.10.0~rc2 (Bug 48084).
97libunivention-ldb-modules.inst to 96univention-samba4.inst to simplify package structure (Bug 47955).
version/erratalevel to 0 (Bug 48654).
join/pre-joinscripts have been called.
This prevents join problems on backup domain controller system in case the join hook installed additional software (Bug 48751).