Table of Contents
With Univention Corporate Server 4.4-8, the eighth point release of Univention Corporate Server (UCS) 4.4 is now available. It provides several feature improvements and extensions, new properties as well as various improvements and bugfixes. Here is an overview of the most important changes:
gidNumber
attribute for group objects.
During the update some services in the domain may not be available temporarily, that is why the update should occur in a maintenance window. It is recommended to test the update in a separate test environment prior to the actual update. The test environment should be identical to the production environment. Depending on the system performance, network connection and the installed software the update will take between 20 minutes and several hours.
In environments with more than one UCS system, the update order of the UCS systems must be borne in mind:
The authoritative version of the LDAP directory service is maintained on the master domain controller and replicated to all the remaining LDAP servers of the UCS domain. As changes to the LDAP schema can occur during release updates, the master domain controller must always be the first system to be updated during a release update.
Starting with UCS 4.0, installation DVD are only provided for the x86 64 bit architecture (amd64). Existing 32 bit UCS 3 systems can still be updated to UCS 4.0 through the online repository or by using update DVD. The 32 bit architecture will be supported over the entire UCS 4 maintenance period.
It must be checked whether sufficient disk space is available. A standard installation requires a minimum of 10 GB of disk space. The update requires approximately 4 GB additional disk space to download and install the packages, depending on the size of the existing installation.
For the update, a login should be performed on the system's local console as user root
, and the update should be initiated there.
Alternatively, the update can be conducted using Univention Management Console.
Remote updating via SSH is not recommended as this may result in the update procedure being canceled, e.g., if the network connection is interrupted.
In consequence, this can affect the system severely.
If updating should occur over a network connection nevertheless, it must be verified that the update continues in case of disconnection from the network.
This can be achieved, e.g., using the tools screen
and at
.
These tools are installed on all UCS system roles by default.
Univention provides a script that checks for problems which would prevent the successful update of the system. Prior to the update, this script can be downloaded and executed on the UCS system.
# download curl -OOs https://updates.software-univention.de/download/univention-update-checks/pre-update-checks-4.4{,.gpg} # run script gpgv --keyring /usr/share/keyrings/univention-archive-key-ucs-4x.gpg \ pre-update-checks-4.4.gpg pre-update-checks-4.4 && bash pre-update-checks-4.4 ... Starting pre-update checks ... Checking app_appliance ... OK Checking block_update_of_NT_DC ... OK Checking cyrus_integration ... OK Checking disk_space ... OK Checking hold_packages ... OK Checking ldap_connection ... OK Checking ldap_schema ... OK ...
Following the update, new or updated join scripts need to be executed.
This can be done in two ways:
Either using the UMC module univention-run-join-scripts
as user root
.
Subsequently the UCS system needs to be restarted.
Anonymous usage statistics on the use of Univention Management Console are collected when using the UCS Core Edition. The modules opened get logged to an instance of the web traffic analysis tool Piwik. This makes it possible for Univention to tailor the development of Univention Management Console better to customer needs and carry out usability improvements.
This logging is only performed when the UCS Core Edition license is used. The license status can be verified via the menu entry of the user menu in the upper right corner of Univention Management Console. If is listed under , this version is in use. When a regular UCS license is used, no usage statistics are collected.
Independent of the license used, the statistics generation can be deactivated by setting the Univention Configuration Registry variable umc/web/piwik
to false.
WebKit, Konqueror and QtWebKit are shipped in the maintained branch of the UCS repository, but not covered by security support. WebKit is primarily used for displaying HTML help pages etc. Firefox should be used as web browser.
Univention Management Console uses numerous JavaScript and CSS functions to display the web interface. Cookies need to be permitted in the browser. The following browsers are recommended:
Chrome as of version 71
Firefox as of version 60
Safari and Safari Mobile as of version 12
Microsoft Edge as of version 18
As of this release Internet Explorer is not supported by Univention Management Console anymore.
Users running older browsers may experience display or performance issues.
Listed are the changes since UCS 4.4-7:
All security updates issued for UCS 4.4-7 are included:
The following updated packages from Debian 9.13 are included (Bug 53084): ca-certificates, libdatetime-timezone-perl, linux-latest, tzdata, activemq, adminer, ansible, awstats, brotli, connman, coturn, crmsh, csync2, debian-security-support, drupal7, firejail, golang-1.7, golang-1.8, golang-golang-x-net-dev, golang-websocket, gssproxy, highlight.js, influxdb, jupyter-notebook, leptonlib, libhibernate3-java, libmediainfo, libpano13, libxstream-java, libzstd, linux-4.19, linux-latest-4.19, mediawiki, minidlna, mqtt-client, mumble, mupdf, musl, mutt, netty, node-ini, open-build-service, openvswitch, pacemaker, pdfresurrect, php-horde-text-filter, php-nette, postsrsd, privoxy, python-bleach, python-bottle, python-certbot, redis, roundcube, ruby-mechanize, ruby-redcarpet, salt, shibboleth-sp2, slirp, snapd, spice-vdagent, spip, sympa, tcpflow, thunderbird, tomcat8, unbound1.9, unrar-free, velocity, velocity-tools, vips, x11vnc, xcftools, zsh
The following packages have been moved to the maintained repository of UCS: moreutils (Bug 52743), python-bcrypt (Bug 52693), python-monotonic (Bug 52273)
201
as additional possible status code for modify operations.
It is returned in case an object was moved (Bug 52725).
200
as status code for the retrieval of object creation templates (Bug 52723).
pam/krb5/ticket_after_pwchange
has been added to restore the default behavior of the PAM module krb5
.
See https://help.univention.com/t/17403 for more information (Bug 52188).
KeyError
is prevented when a session timer has already been removed (Bug 52535).
`python2.7
.
This included UCS services like UCS Virtual Machine Manager, UMC server, UMC web server, UMC REST API, UCS Portal server and Univention S4 connector.
The broken fallback mechanism has been disabled and removed (Bug 52518).
update-check
has been added to univention-app
to check whether an UCS update with the currently installed Apps is possible (Bug 52771).
docker.pull
has been removed (Bug 52456).
password/hashing/bcrypt
(default: false
).
The bcrypt cost factor and variant can be configured with the Univention Configuration Registry variables password/hashing/bcrypt/cost_factor
(default: 12
) and password/hashing/bcrypt/prefix
(default: 2b
) (Bug 52693).
--remove-option
of the UDM CLI command create
has been repaired (Bug 52576).
`python2.7
.
This included UCS services like UCS Virtual Machine Manager, UMC server, UMC web server, UMC REST API, UCS Portal server and Univention S4 connector.
The broken fallback mechanism has been disabled and removed (Bug 52518).
docker/daemon/default/opts/registry-mirrors
can be used to define custom registry mirrors for the docker daemon.
It is also possible now to configure arbitrary JSON encoded data, which gets mixed into the Docker daemon configuration file /etc/docker/daemon.json
via the Univention Configuration Registry variable docker/daemon/default/json
(Bug 52344).
statx
to docker seccomp profile (Bug 52478).
univention-stunnel4-watchdog
has been added, which restarts the stunnel4
service, if it does not respond any more, but is marked as active.
This can be activated by setting the Univention Configuration Registry variable ucs/server/sso/stunnel4/watchdog/active=true
and restarting the service univention-stunnel4-watchdog
(Bug 52196).
krb5
has been changed.
From now on the module no longer tries to obtain a new ticket after a password change (as this is error prone due to timing issues in the password synchronization).
The old behavior can be restored by setting the Univention Configuration Registry variable pam/krb5/ticket_after_pwchange=true
(sets the ticket_after_pwchange
flag in the PAM configuration).
See https://help.univention.com/t/17403 for more information (Bug 52188).
heimdal-kdc
.
This is necessary to allow for the mspwdpolicy feature to work correctly (Bug 52198).
/usr/share/univention-s4-connector/resync_object_from_ucs.py --filter
, which accepts an LDAP filter (Bug 50766).
pam/krb5/ticket_after_pwchange
has been added to restore the default behavior of the PAM module krb5.
See https://help.univention.com/t/17403 for more information (Bug 52188).