UCS 5.0 Release Notes

Release notes for the installation and update of Univention Corporate Server (UCS) 5.0-0

Table of Contents

1. Release Highlights
2. Notes about the update
2.1. Recommended update order for environments with more than one UCS server
2.2. UCS only available for 64 bit
2.3. Component removals
2.4. Increased minimal TLS protocol version
2.5. Samba changes
2.6. Notes about default master packages
2.7. Notes about credentials passed to join scripts
3. Simultaneous operation of UCS and Debian on UEFI systems
4. Local package repository
5. Portal
6. Preparation of update
7. Postprocessing of the update
8. Notes on selected packages
8.1. Network configuration
8.2. Collection of usage statistics
8.3. Recommended browsers for the access to Univention Management Console
9. Changelog
9.1. General
9.2. Univention Installer
9.3. Basic system services
9.3.1. Linux kernel and firmware packages
9.3.2. Univention Configuration Registry Changes to templates and modules
9.3.3. Boot Loader
9.3.4. Other system services
9.4. Domain services
9.4.1. OpenLDAP LDAP ACL changes LDAP schema changes LDAP index changes Listener/Notifier domain replication
9.4.2. DNS server
9.5. Univention Management Console
9.5.1. Univention Management Console web interface
9.5.2. Univention Portal
9.5.3. Univention Management Console server
9.5.4. Univention App Center
9.5.5. Univention Directory Manager UMC modules and command line interface
9.5.6. Modules for system settings / setup wizard
9.5.7. Software update module
9.5.8. Domain join module
9.5.9. Univention Directory Reports
9.5.10. Computers module
9.5.11. DHCP module
9.5.12. System diagnostic module
9.5.13. Process overview module
9.5.14. Policies
9.5.15. Printers module
9.5.16. Filesystem quota module
9.5.17. Univention Configuration Registry module
9.5.18. Other modules
9.5.19. Development of modules for Univention Management Console
9.6. Univention Updater
9.7. Univention base libraries
9.8. Software monitor
9.9. System services
9.9.1. MariaDB
9.9.2. Docker
9.9.3. SAML
9.9.4. Mail services
9.9.5. Printing services
9.9.6. Nagios
9.9.7. RADIUS
9.9.8. Kerberos
9.9.9. SSL
9.9.10. Celery services
9.9.11. DHCP server
9.9.12. PAM / Local group cache
9.9.13. NFS
9.9.14. Bacula and Backup
9.9.15. Other services
9.10. Virtualization
9.11. Services for Windows
9.11.1. Samba
9.11.2. Univention AD Takeover
9.11.3. Univention S4 Connector
9.11.4. Univention Active Directory Connection
9.12. Other changes

§Chapter 1. Release Highlights

With Univention Corporate Server 5.0-0, the fifth major release of Univention Corporate Server (UCS) is now available. It provides several feature improvements and extensions, new properties as well as various improvements and bugfixes. Here is an overview of the most important changes:

  • This new major Univention Corporate Server release is based on Debian 10.9 Buster. A lot of packages have been updated from upstream. This includes for example the Linux Kernel (4.19), PostgreSQL (11), Python 3 (3.7) and Samba (4.13.7).

  • The portal has been updated to become the central hub for Univention Corporate Server users. Apps and web pages can be opened as inline frames (iframe) within the portal. This enables users to quickly open and switch apps. Organizations are given the ability to strengthen their identity by having their apps on a central page.

  • With Python as the language of choice for many Univention Corporate Server components, most have been converted to run with Python 3.7. Python 2.7 is still supported with UCS 5.0, but will be removed with UCS 5.1.

  • The Univention Management Console now uses a dark colored theme. A light colored theme will be added as an update at a later date.

  • The system roles have been renamed. "master domain controller" is renamed to "Primary Directory Node", "backup domain controller" to "Backup Directory Node", "slave domain controller" to "Replica Directory Node" and "member server" to "Managed Node". This is an ongoing process, in this release the documentation and UI texts have been adjusted.

  • Software installation is now done exclusively via the App Center. The Software Selection during the initial Configuration of a Univention Corporate Server node has been removed.

  • Multiple apps can now be installed in a single step which simplifies app management. Dependencies between apps will now be be automatically resolved by installing multiple apps if necessary. The functionality to install multiple apps at once through the App Center replaces the Software Selection during the setup process.

  • To determine if a Univention Corporate Server is ready to upgrade from 4.4 to 5.0 can be checked by using this script. univention-upgrade will not proceed with the upgrade if these checks are not successful. See also Chapter 6 for a more in depth manual about the preparation for the upgrade.

  • The Univention Corporate Server package sources have been reduced to a fixed number of two, one for the release and one for errata updates. This speeds up updating the apt package meta data cache especially for upcoming UCS 5 releases. Due to some necessary changes on the Univention repository server, a local UCS 4.x repository will not be able to serve UCS 5.x packages, please check Chapter 4.

  • Univention Configuration Registry variables can now have a default value which is returned if the variable is unset. Please note that not all packages have been updated to use this feature and still define default values in templates.

  • The Linux Kernel, including the signed version for UEFI secure boot, shipped with Univention Corporate Server 5 is now identical with the Kernel in Debian.

  • A new welcome module has been added to the Univention Management Console to guide administrators through the first steps of using Univention Corporate Server like requesting a license or installing apps.

  • For easier and a more uniform service management the services Univention Directory Listener, Univention Directory Notifier and univention-dhcp have been converted from runit services to native systemd services.

  • A thorough list of changes and fixes included in this release can be found in Chapter 9 at the end of this document.

§Chapter 2. Notes about the update

Prerequisite for updating is at least UCS 4.4-8 with UCS 4.4-8 erratum 972. Only then the available update will be shown. Is is recommended to install all other pending errata too before the update is started.

If the update is started via Univention Management Console: Before the actual update starts, some tests are performed, e.g. if all installed Apps would be available on UCS 5.0. At this point, the web interface is already in maintenance mode and nothing is shown but a progress bar. If one test fails, the update will be canceled and a message is written to /var/log/univention/updater.log. To read these in the web frontend, log in to Univention Management Console, open the Software update module and click on "View log file".

During the update some services in the domain may not be available temporarily, that is why the update should occur in a maintenance window. It is recommended to test the update in a separate test environment prior to the actual update. The test environment should be identical to the production environment. Depending on the system performance, network connection and the installed software the update will take between 20 minutes and several hours. In large environments it may be useful to consult the [ucs-performance-guide].

§2.1. Recommended update order for environments with more than one UCS server

In environments with more than one UCS system, the update order of the UCS systems must be borne in mind:

The authoritative version of the LDAP directory service is maintained on the Primary Directory Node (formerly referred to as master domain controller) and replicated to all the remaining LDAP servers of the UCS domain. As changes to the LDAP schema can occur during release updates, the Primary Directory Node must always be the first system to be updated during a release update.

§2.2. UCS only available for 64 bit

UCS 5 is only provided for the x86 64 bit architecture (amd64). Existing 32 bit UCS systems cannot be updated to UCS 5.

§2.3. Component removals

For UCS 5 several integration packages have been removed.

UCS Virtual Machine Manager,
UCS 5 no longer contains the graphical user interface for running virtual machines, but UCS can still run KVM virtualized guests and UCS can still be run virtualized on multiple hypervisors. The Debian packages libvirt and qemu are still available. The update to UCS 5 is blocked until the integration packages are removed. All LDAP objects with univentionObjectType of type uvmm/profile and uvmm/info should be removed.
The direct integration for Bacula backup has been removed. Bacula and Bareos are both still available as Debian packages and also from the App Center.
The Python API documentation is now available online.
MRTG has been removed. For a replacement a similar function is provided by the UCS Dashboard app.
The integration package has been removed. The Debian provided OpenJDK can still be used and installed via the packages default-jre or default-jdk.
The integration package for the graphical K Desktop Environment (KDE) has been removed. The Debian provided packages are still available.
The integration package for FTP has been removed. The Debian provided packages for ProFTPd and other FTP servers are still available.
The integration package for MySQL has been removed. Support is provided for MariaDB instead.
Support for the printer quota system PyKota has been removed as it is no longer maintained upstream.
Support for the Content filter DansGuardian has been removed as the implementation is no longer maintained upstream.
Samba 4 WINS,
Windows NT support has been removed from the Samba.
Linux Kernel,
Support for UEFI Secure Boot is already provided by Debian itself. The UCS specific packages have been removed. The latest Linux kernel for Debian is pulled in via the package linux-image-amd64. The header files of the latest Linux kernel can be pulled in via the package linux-headers-amd64.

§2.4. Increased minimal TLS protocol version

In the area of cryptography the minimal TLS protocol version has been raised to 1.2. For OpenSSL this is enforced by the parameter MinProtocol in /etc/ssl/openssl.cnf. As a consequence, TLS connections to external systems should be checked for TLS 1.2 support before updating to UCS 5.0, as they are likely to fail after the update. This affects AD-Connector setups synchronizing UCS with Microsoft Server versions older than 2012R2, if they are configured to use an encrypted connection. Additionally the OpenSSL default CipherString configuration is DEFAULT@SECLEVEL=2 in UCS 5.0. This additionally restricts the available ciphers for communication, which rules out SHA1 in particular. E.g. Windows Server 2012 supports less ciphers that Windows Server 2012R2 by default.

§2.5. Samba changes

Samba has been updated to version 4.13.7 and also includes the patch for the security issue CVE-2021-20254 from 4.13.8. More details about this and the following points can be found in the changelog below.

During updates to UCS 5 Samba will convert the database to a new index format. Since this is a transaction based operation the required storage capacity of the sam.ldb files will double temporarily for this operation. By default Samba uses the TDB key value database format as backing store, which is limited to a size of 4GB. Before the UCS update, a check is performed, if any of the five database backing files is already close to half of that size. In that case, the update is blocked to avoid non-functional Services for Windows after the update, and a link to a migration guide will be shown.

Support for the SMB1 protocol variant is disabled by default as it is insecure for todays standards.

Support for DES Kerberos encryption types has been removed.

§2.6. Notes about default master packages

Apps like UCC and Open-Xchange used to install special packages on Primary Directory Node and Backup Directory Node to extend the LDAP server with schema and ACL rules. These packages are not needed anymore, these extensions are now distributed via Univention Directory Listener. The packages should be removed before the upgrade is started to avoid incompatibilities with Python 3. Packages that are known to be incompatible are: univention-corporate-client-schema, univention-ox-dependencies-master and univention-ox-directory-integration. The system will also be checked for incompatible package as a preparation for the upgrade, see also Chapter 6.

§2.7. Notes about credentials passed to join scripts

Join scripts are now always executed with the safe option --bindpwdfile instead of passing the credentials directly as command line option.

§Chapter 3. Simultaneous operation of UCS and Debian on UEFI systems

Please note that simultaneous operation of UCS and Debian on a UEFI system starting with UCS 5.0-0 is not supported.

The reason for this is the GRUB boot loader of Univention Corporate Server, which partly uses the same configuration files as Debian. An already installed Debian leads to the fact that UCS cannot be booted (any more) after the installation of or an update to UCS 5.0. A subsequent installation of Debian will also result in UCS 5.0 not being able to boot.

At the following help article further hints to this topic are collected: https://help.univention.com/t/17768

§Chapter 4. Local package repository

This section is relevant for environments where a local repository is set up. The installed (major) version of UCS determines which packages a local repository provides. A repository running on a UCS server with version 4.x will only provide packages up to UCS 4.x, a repository server running on UCS 5 will only provide packages for UCS 5 and newer versions. To upgrade systems to UCS 5 in an environment with a local repository, the following are some of the options. First, a local UCS 5 repository server must be set up.

To upgrade a system in the domain to UCS 5, the server should first be upgraded to the latest package level available for UCS 4.x. Then the repository server used by the system is switched to the local UCS 5 repository by changing the Univention Configuration Registry variable repository/online/server. The system can now be upgraded to UCS 5 via the Univention Management Console or via the command line.

§Chapter 5. Portal

The design and functionality of the portal in UCS 5 has been fundamentally revised. Adjustments may need to be made to the portal configuration after the update to UCS 5.

  • By default, single sign-on is not used when logging in to the portal. Details on enabling single sign-on are described in the manual.

  • The portal used or displayed by a server is determined by the Univention Configuration Registry variable portal/default-dn in UCS 5. After a change, the service univention-portal-server must be restarted.

  • A design customized for the UCS 4 portal using CSS needs to be reworked for the UCS 5 portal.

  • Portal content management will be done via new Univention Directory Manager modules, the settings existing under UCS 4 will be migrated during the update.

§Chapter 6. Preparation of update

Manually crafted Python code needs to be checked for compatibility with Python 3.7 before the Update and adjusted accordingly. This includes Univention Configuration Registry templates containing Python code. Customized AD-Connector mapping templates are an example for this. See also the [developer-reference] for advice.

It must be checked whether sufficient disk space is available. A standard installation requires a minimum of 6-10 GB of disk space. The update requires approximately 1-2 GB additional disk space to download and install the packages, depending on the size of the existing installation.

For the update, a login should be performed on the system's local console as user root, and the update should be initiated there. Alternatively, the update can be conducted using Univention Management Console.

Remote updating via SSH is not recommended as this may result in the update procedure being canceled, e.g., if the network connection is interrupted. In consequence, this can affect the system severely. If updating should occur over a network connection nevertheless, it must be verified that the update continues in case of disconnection from the network. This can be achieved, e.g., using the tools tmux, screen and at. These tools are installed on all UCS system roles by default.

Univention provides a script that checks for problems which would prevent the successful update of the system. Prior to the update, this script can be downloaded and executed on the UCS system.

# download
curl -OOf https://updates.software-univention.de/download/univention-update-checks/pre-update-checks-5.0-0{.gpg,}

# verify and run script
apt-key verify pre-update-checks-5.0-0{.gpg,} &&
  bash pre-update-checks-5.0-0


Starting pre-update checks ...

Checking app_appliance ...                        OK
Checking block_update_of_NT_DC ...                OK
Checking cyrus_integration ...                    OK
Checking disk_space ...                           OK
Checking hold_packages ...                        OK
Checking ldap_connection ...                      OK
Checking ldap_schema ...                          OK

§Chapter 7. Postprocessing of the update

Following the update, new or updated join scripts need to be executed. This can be done in two ways: Either using the UMC module Domain join or by running the command univention-run-join-scripts as user root.

Subsequently the UCS system needs to be restarted.

§Chapter 8. Notes on selected packages

§8.1. Network configuration

Support for ifplugd has been removed.

§8.2. Collection of usage statistics

Anonymous usage statistics on the use of Univention Management Console are collected when using the UCS Core Edition. The modules opened get logged to an instance of the web traffic analysis tool Piwik. This makes it possible for Univention to tailor the development of Univention Management Console better to customer needs and carry out usability improvements.

This logging is only performed when the UCS Core Edition license is used. The license status can be verified via the menu entry License -> License information of the user menu in the upper right corner of Univention Management Console. If UCS Core Edition is listed under License type, this version is in use. When a regular UCS license is used, no usage statistics are collected.

Independent of the license used, the statistics generation can be deactivated by setting the Univention Configuration Registry variable umc/web/piwik to false.

§8.3. Recommended browsers for the access to Univention Management Console

Univention Management Console uses numerous JavaScript and CSS functions to display the web interface. Cookies need to be permitted in the browser. The following browsers are recommended:

  • Chrome as of version 85

  • Firefox as of version 78

  • Safari and Safari Mobile as of version 13

  • Microsoft Edge as of version 88

Users running older browsers may experience display or performance issues.

§Chapter 9. Changelog

Listed are the changes since UCS 4.4-8:

§9.1. General

  • The Python module directories of python-support are not supported anymore (Bug 51506)
  • The upgrade to UCS 5.0 is blocked if there are systems in the domain which don't have at least UCS 4.4-8 (Bug 51621)
  • Systems can only join into the domain with at least UCS 4.4-8 (Bug 51625). If the Primary Directory Node was installed as UCS 5.0, certain database objects are no longer created; thus, joining UCS 4.4-8 systems may result in these systems not having a proper portal until they upgrade to UCS 5.0 (Bug 53091)
  • The legacy terms for the UCS server roles master domain controller, backup domain controller, slave domain controller and member server have been replaced by the new terms Primary Directory Node , Backup Directory Node Replica Directory Node and Managed Node, which more clearly convey their inherent purpose as providing directory services or not. The Microsoft terms domain controller, DC and member server are still applicable in case Microsoft compatible services are provided by Samba on the respective Node (Bug 42374). To reduce potential for confusion, the IP managed client has been renamed to IP client.
  • The base system is no longer a valid system role. It is not possible to choose that role in system setup or update a base system to UCS 5. The corresponding meta package univention-basesystem has been removed (Bug 52137)
  • Process supervision by univention-runit has been replaced with systemd (Bug 52448)
  • The selection on locales has been fixed in univention-directory-reports, univention-appcenter, univention-system-setup and univention-management-console (Bug 52194)
  • The command lastlog can now be called by any user. It shows the timestamp when users have logged on to the local machine. This command reads the information from the file /var/log/lastlog. Before UCS 5.0 this file was only readable by user root. Debian and systemd have this file world readable be default. UCS decided to follow this upstream policy, because a list of all users is accessible via getent passwd anyway (Bug 51579)
  • The join scripts for univention-s4-connector and univention-appcenter now start ucs_registerLDAPExtension with the options --ucsversionstart and --ucsversionstop to signal compatibility with Python 3 (Bug 51763)
  • Installed unsupported packages will now block the upgrade until they are removed from the system (Bug 52957)

§9.2. Univention Installer

  • The package univention-net-installer has been migrated to Python 3 (Bug 52283)

§9.3. Basic system services

§9.3.1. Linux kernel and firmware packages

  • The new command univention-prune-kernels can be used to remove Linux kernel packages, which are no longer used and required (Bug 51769)

§9.3.2. Univention Configuration Registry

  • A new API has been introduced to simplify accessing UCR from Python. It is based on the singleton pattern and optionally provides an auto-updating view (Bug 51126)
  • Documentation for the Univention Configuration Registry variable interfaces/.*/hosts has been added (Bug 33743)
  • univention-install-config-registry calls univention-install-config-registry-info and univention-install-service-info during package build time. It now propagates failures and aborts if calling those programs fails (Bug 32658)
  • The API for UCR Python modules is not consistent: The function handler receives the same arguments for both module registration and on regular updates (Bug 30127)
  • Default values for Univention Configuration Registry variables can now be defined in the files .univention-config-registry-variables (Bug 38938)
  • The performance of ucr shell has been improved (Bug 31257)
  • To simplify software development Univention Configuration Registry now provides the sequence ucr to be used with dh --with ucr in debian/rules instead of calling univention-install-* directly (Bug 51950)
  • All univention-config-registry related scripts have been migrated to Python 3 (Bug 52018, Bug 52157)
  • The API of univention.config_registry.interfaces is now using the ipaddress module instead of the ipaddr module (Bug 52017)
  • The detection of children process IDs in univention.service_info has been fixed (Bug 51524)
  • The old name univention-baseconf has been removed (Bug 52016)
  • The different layers of UCR are now taken into account when deciding if and how to run UCR trigger mechanisms: They will only get a list of changed values honoring the different layers (Bug 52847)

§ Changes to templates and modules

  • Several updates to configuration files from Debian 10 have been merged into the corresponding Univention Configuration Registry template files (Bug 51505)

§9.3.3. Boot Loader

  • The boot process has been adjusted to the new design. It is possible to switch between a dark theme (default) by setting ucr set bootsplash/theme='ucs' and a light theme by setting ucr set bootsplash/theme='ucs-light' (Bug 52797, Bug 52798, Bug 52454)

§9.3.4. Other system services

  • Join scripts are not executed with the unsafe option --bindpwd anymore (Bug 31996)
  • The return code of univention-run-join-scripts indicates errors now (Bug 35561)
  • Join scripts are only executed if the host is already joined (Bug 48730)
  • The new package univention-join-dev provides the Debhelper sequence univention-join. It can be used in debian/rules files with dh --with univention-join to simplify the installation, registration and calling of join scripts. It replaces univention-install-joinscript from the package univention-debhelper, which will be removed with UCS 5.1 (Bug 52211)
  • To prevent problems with UCS components that are only partly updated at the time join scripts are executed, the execution of join scripts is from now on postponed until the end of the update process (post update phase). This change has been implemented with UCS 4.4-6 already but becomes active now (Bug 51624)
  • AppArmor is deactivated by default, because cups and bind9 with samba are not configured for it yet (Bug 51786)
  • The Admin Diary has been migrated to Python 3 (Bug 51334)
  • Since squid version 4.6 the authentication helper basic_ldap_auth returns BH Success instead of ERR Success in case of LDAP bind errors. The encoding wrapper has been adjusted accordingly (Bug 51817)

§9.4. Domain services

  • Support for ifplugd has been removed (Bug 32847)

§9.4.1. OpenLDAP

  • OpenLDAP has been updated to version 2.4.47 (Bug 51312)
  • The container cn=admin-settings,cn=users,cn=policies is no longer created (Bug 47949)
  • The scripts in univention-ldap have been migrated to Python 3 (Bug 52280)

§ LDAP ACL changes

  • The container cn=admin-settings,cn=univention is no longer created (Bug 31048)

§ LDAP schema changes

  • The performance of creating /etc/ldap/slapd.conf has been improved (Bug 34003)

§ LDAP index changes

  • The LDAP attributes aAAARecord, mXRecord, cNAMERecord, sRVRecord, tXTRecord and nSRecord now get indexed to improve the performance of presence searches in the UDM module dns/txt_record (Bug 53192)

§ Listener/Notifier domain replication

  • The last remainders for replog replication have been removed (Bug 42334)
  • Adjustments in the use of python-ldap have been made (Bug 51268)
  • The process supervision for the Univention Directory Listener and Univention Directory Notifier services has been changed from runit to systemd. Any direct calls to the init script or runsv, for example /etc/init.d/univention-directory-listener start or sv start univention-directory-listener, need to be replaced with systemctl, for example systemctl start univention-directory-listener (Bug 43686, Bug 43687)
  • The Listener has been migrated to Python 3. All listener modules are now executed with Python 3.7 (Bug 52256, Bug 45888)
  • A new API for switching the effective user ID in Listener modules has been added. The new listener.SetUID() can be used as a Python context manager and function decorator. The old API using listener.setuid() and listener.unsettuid() is deprecated and should no longer be used (Bug 52447)
  • The package univention-directory-replication has been migrated to Python 3 (Bug 52300)

§9.4.2. DNS server

  • The package univention-bind now makes sure, that the name server BIND is able to start early in the system-setup phase of UCS installation, so the DNS service is available during install/configuration of UCS components (Bug 44462)
  • The package univention-bind has been migrated to Python 3 (Bug 52260)
  • UCS systems are able to automatically use name servers that are transmitted to the UCS system via DHCP. Starting with UCS 5.0 the mechanism has been simplified considerably. UCS systems that obtain their IP address via DHCP now also enter the name servers supplied via DHCP in the Univention Configuration Registry variables nameserver1..3 and dns/forwarder1..3. The name server type (external forwarder vs. domain name server) is detected based on heuristics. This change prevents overwriting of the DNS configuration if the UCR template for the file /etc/resolv.conf is reevaluated (Bug 44462)
  • Univention Configuration Registry variable dns/master/port has been removed (Bug 32188)
  • Trailing semicolons from several Univention Configuration Registry variables dns/* are now stripped by default to prevent syntax errors (Bug 32188)
  • A syntax error has been fixed which prevented the bind service to start during the system setup (Bug 53064)

§9.5. Univention Management Console

§9.5.1. Univention Management Console web interface

  • Univention Management Console now comes with a new design (Bug 52453, Bug 52538)
  • The cookie UMCLang is now correctly saved when accessing Univention Management Console with a language in the query string (Bug 44718)
  • The debhelper scripts for Univention Management Console modules now preserve timestamps when installing files (Bug 49618)
  • The exit code of univention-management-console-command has been improved (Bug 34642)
  • The welcome dialog shown after the first installation has been removed (Bug 53226) in favor of a dedicated welcome module univention-management-console-module-welcome (Bug 53147)
  • Dojo has been upgraded to Version 1.16.3 (Bug 48963)
  • Am error message is not logged any more when a local users login into Univention Management Console (Bug 46932)

§9.5.2. Univention Portal

  • The creation of the portal entry for the Univention Blog has been fixed when installing from DVD (Bug 45787)
  • The portal is now modularized and can be generously configured (Bug 52512, Bug 52125, Bug 51197)
  • The portal server can now serve multiple paths (Univention Configuration Registry variable portal/paths). Consequently, different portal content can be served for different paths (Bug 52792)
  • Links can now be localized, i.e. the tiles point to different URLs depending on the user's locale (Bug 45918)
  • Only one portal setup is created by default. All UCS systems initially show the same portal (Bug 53091)
  • The portal can now be configured to show UMC modules for the current user. A portal only dedicated to UMC modules is also added, effectively replacing the UMC overview (although that still exists) (Bug 52932)
  • New Icons for the UMC modules on the portal page has been added (Bug 52941)

§9.5.3. Univention Management Console server

§9.5.4. Univention App Center

  • The App Center has been migrated to Python 3 (Bug 51598)
  • The App Center can now install multiple Apps at once. It also resolves dependencies between Apps automatically during install (Bug 40225, Bug 52863)
  • Apps can now define in which way they want to be opened in the new Univention Portal (Bug 53161)

§9.5.5. Univention Directory Manager UMC modules and command line interface

  • The Univention Directory Manager has been migrated to Python 3 (Bug 50648, Bug 51631, Bug 50617, Bug 51685)
  • The modules for handling Mobile clients, Fat Clients, Thin Clients, Univention Corporate Clients and their policies and settings have been removed (Bug 51973)
  • The unused script lock_expired_passwords has been removed (Bug 46350)
  • No traceback is logged anymore when creating objects with --ignore_exists when the objects already exists (Bug 46931)
  • UDM handlers now raise an exception univention.admin.uexceptions.wrongObjectType when an object is opened with a wrong type (Bug 45096)
  • Old references to TCP in the univention-cli-server have been removed (Bug 34836)
  • If an error occurs during object creation in the post-create phase the object is now removed correctly (Bug 51669)
  • The apache configuration for the Univention Directory Manager REST API has been adjusted for the new apache version (Bug 51604)
  • The Univention Directory Manager UMC module has been migrated to Python 3 (Bug 51329)
  • The Univention Directory Manager CLI command modify now supports the option --ignore_not_exists (Bug 52984)
  • The --remove option for the Univention Directory Manager CLI command modify has been repaired for properties with complex syntax (Bug 41072)

§9.5.6. Modules for system settings / setup wizard

  • The unused script ldap_available.sh has been removed (Bug 33008, Bug 51683)
  • The directories for hook scripts have been restored (Bug 33029)

§9.5.7. Software update module

  • The Easy upgrade mode has been removed (Bug 40154)
  • The Updater module now links directly to the pending erratum updates (Bug 41646)
  • The preup.sh script executed before a system upgrade now fetches the version of the Primary Directory Node from LDAP instead of using ssh (Bug 40027)
  • The service univention-maintenance now waits for the DNS service before starting the package maintenance during boot-up (Bug 45119)
  • The deprecated command univention-add-app has been removed in favor of the command univention-app (Bug 46474)
  • Architecture i386 is no longer supported and cannot be updated to UCS 5 (Bug 51972)
  • univention-remove no longer updates the package cache before packages are removed (Bug 48019)
  • UCS 4 package sources will be disabled for the upgrade. A backup can be found under /etc/apt/sources.list.d/ with the suffix .upgrade500-backup. The backup will be removed after a successful upgrade (Bug 52954)
  • The at daemon service is configured not to kill any child processes when the service is stopped, which is needed for the upgrade to UCS 5 (Bug 52886)

§9.5.8. Domain join module

  • The Univention Management Console module univention-management-console-module-join has been migrated to Python 3 (Bug 51330)
  • The scripts have been improved for robustness and security (Bug 31026)

§9.5.9. Univention Directory Reports

  • univention-directory-reports is now using Python 3 (Bug 51569)

§9.5.10. Computers module

  • Removing one of multiple DNS PTR records from a computer has been fixed (Bug 53213)
  • Creating a new DHCP enabled computer entry without an IP address did create an invalid dhcp/host entry (Bug 53204)

§9.5.11. DHCP module

  • The process supervision for the DHCP services has been changed from runit to systemd. The service has been renamed from univention-dhcp to isc-dhcp-server as used by upstream. Any direct calls to the init script or runsv must to be replaced with systemctl, for example systemctl start isc-dhcp-server (Bug 43688, Bug 52828)
  • Hook scripts in /etc/dhcp/dhclient-enter-hooks.d/ and /etc/dhcp/dhclient-exit-hooks.d/ returning an error no longer abort the dhclient-scipt. If the old behavior is required a hook script can use exit as the scripts are sourced and not executed in sub-shells (Bug 53172)
  • Fix the day of week in leases when fallback to link-local addresses is enabled (Bug 44427)
  • Remove remaining references to deprecated DHCP version 3 (Bug 32462)
  • Registering of IP addresses received via DHCP are now registered in the LDAP via the HTTP interface of Univention Management Console (Bug 42128)

§9.5.12. System diagnostic module

  • The module has been migrated to Python 3. All plugins are now executed with Python 3 (Bug 51332)
  • The diagnostic module 22_kdc_service has been updated to work with pyasn1 version 0.4 (Bug 51507)

§9.5.13. Process overview module

  • The process overview module now uses Python 3 (Bug 51323)

§9.5.14. Policies

  • Fix error in output of univention_policy_result --help (Bug 35182)

§9.5.15. Printers module

  • The code for handling univentionPrinterUseClientDriver has been removed from the Univention Directory Listener module (Bug 32870)

§9.5.16. Filesystem quota module

  • The listener module quota.py has been migrated to Python 3 (Bug 52310)

§9.5.17. Univention Configuration Registry module

  • The Univention Management Console module univention-management-console-module-ucr has been migrated to Python 3 (Bug 51322)

§9.5.18. Other modules

  • The unused module for configuring the firewall has been removed (Bug 44700)
  • The old system statistics based on MRTG has been removed (Bug 44475)
  • The Univention Management Console module univention-management-console-module-services has been migrated to Python 3 (Bug 51333)
  • The Univention Management Console module univention-management-console-module-ipchange has been migrated to Python 3 (Bug 51331)

§9.5.19. Development of modules for Univention Management Console

  • To simplify software development Univention Management Console now provides the sequence umc to be used with dh --with umc in debian/rules instead of calling dh-umc-modulel-* directly (Bug 51949)

§9.6. Univention Updater

  • The old dists/ repository layout, which was used between UCS 2.X and 4.x, is no longer supported. Instead the new pool/-layout uses package index files below dists/, which reference files from pool/ (Bug 51316, Bug 51588)
  • Due to the changed repository layout the deprecated Univention Configuration Registry variables repository/online/component/4.*-*-errata are purged after the update (Bug 47192)
  • Starting with UCS 5.0 the UCS repository is no longer divided into the 2 sections maintained and unmaintained. Instead, all packages are kept in one section and the maintenance status of the packages is technically defined in a different way. Therefore, the Univention Configuration Registry variable repository/online/unmaintained is no longer in use as of UCS 5.0. However, the Univention Configuration Registry variable for components (repository/online/component/$comp/unmaintained) are still in use (Bug 51316). To check if unmaintained packages are installed, the command univention-list-installed-unmaintained-packages can be executed (Bug 52715)
  • Up to UCS 4.4, the Univention Updater automatically detected for component repositories whether the required package files were stored within the architecture directories (i386/, amd64/, all/) or in the directory level above (flat repository). Starting with UCS 5.0, the new Univention Configuration Registry variable repository/online/component/$comp/layout must be used to define whether a flat repository (value flat) is to be used. If the variable is not set, the other possible value arch is assumed, where the packages files are searched in the architecture directories (Bug 51316)
  • The semantics of the Univention Configuration Registry variable repository/online/component/$comp/version has changed. The values current and an unset variable now have the same meaning: The component directory is always included and must exists; an update is blocked if it does not and APT resp. Univention Updater will error out if it does not.

    As an alternative a fixed list of $major.$minor releases can be used to include the component only for a sub-set of releases: such a component is only used locally if the listed component versions include the current version, e.g. a 5.0 5.1 5.2 component will not be used on a 5.3 system.

    As a consequence the packages (or at least the Packages) files have to be copied for a new release if (and only if) the component should also be available for the new release. This is cheap if the pool/-layout is used as then only the Packages file must be copied, which then references the same packages from the pool/ directory (Hint: using relative links with ../ is also okay) (Bug 51316)

  • During the update to UCS 5.0, objects from deprecated UCS versions are deleted from the LDAP directory. Information about deleted objects and the objects LDIF output can be found in the logfile /var/univention-backup/update-to-5.0-0/removed_with_ucs5_timestamp.ldif (Bug 51655)

§9.7. Univention base libraries

  • Documentation for the Univention Configuration Registry variables groups/default/* and users/default/* has been added (Bug 33693)
  • The implementations of UCS_Version in univention-updater has been merged into the implementation in univention-lib (Bug 32821)
  • The scripts in univention-lib are now using Python 3 (Bug 51628, Bug 51429, Bug 52155)
  • The matching of locales in univention.lib.i18n has been corrected (Bug 51633)
  • The logging of error messages from slapdtest in univention.lib.ldap_extension has been improved (Bug 51648)
  • The function lookup_adds_dc in univention.lib.admember now runs dig with the option +nocookie to avoid FORMERR from Windows DCs (Bug 51652)
  • UDM extensions can now be registered in different versions for different UCS versions to prepare for the UCS 5 update (Bug 51619, Bug 51622)
  • UDM and LDAP extensions are now correctly removed or created when the UCS version changes (Bug 51531)
  • The univention.fstab library has been merged into univention.lib.fstab (Bug 27825)
  • The univention-python library has been migrated to Python 3. Various modules have been removed (Bug 52063)
  • ucs_registerLDAPExtension now waits correctly for the registered Univention Directory Manager extension files to be replicated (Bug 52942)

§9.8. Software monitor

  • A package dependency cycle has been fixed (Bug 42287)

§9.9. System services

§9.9.1. MariaDB

  • The package univention-mysql has been removed in favor of MariaDB (Bug 51979)

§9.9.2. Docker

  • docker has been updated to version 19.03; docker-compose has been updated to version 1.25 (Bug 52838)

§9.9.3. SAML

  • All scripts of univention-saml have been migrated to Python 3 (Bug 51315)
  • The package crudesaml was updated to version 1.9 (Bug 51489)

§9.9.4. Mail services

  • The fetchmail service will be disabled via the Univention Configuration Registry variable fetchmail/autostart for the time of the update to prevent restart issues during the update (Bug 52923)
  • The ACL handling of user names and group names containing spaces has been fixed for shared folders (Bug 53111)
  • An internal change to the listener module for shared mail folders (dovecot-shared-folder.py) has been made to prevent problems with mixed upper and lowercase domain names (Bug 52241)
  • Error messages during initial installation of univention-mail-postfix are now prevented by reordering of the internal installation steps (Bug 52842)
  • Starting with UCS 5.0 the package univention-mail-postfix is now mandatory installed on every UCS system. The sole installation of the virtual package mail-transport-agent is no longer sufficient (Bug 52807)
  • No longer needed Univention Configuration Registry variable mail/dovecot/auth/allowplaintext was dropped from the package univention-mail-dovecot because of Dovecot no longer allowing to login with plain text passwords while using TLS/SSL (Bug 52724)
  • The package univention-fetchmail has been migrated to Python 3 (Bug 52282)
  • The package univention-mail-postfix has been migrated to Python 3 (Bug 52255)
  • The package univention-mail-dovecot has been migrated to Python 3 (Bug 52254)

§9.9.5. Printing services

  • The package univention-check-printers for checking USB printers has been removed (Bug 52123)
  • The package univention-printclient has been migrated to Python 3 (Bug 52423)
  • Support for the printer quota system PyKota has been removed as the important is no longer maintained upstream (Bug 51482)

§9.9.6. Nagios

  • The package univention-nagios-server has been removed (Bug 52122)

§9.9.7. RADIUS

  • The package univention-radius has been migrated to Python 3 (Bug 52286)

§9.9.8. Kerberos

  • Heimdal is now compiled with python3-univention-lib (Bug 52249)
  • The package univention-heimdal has been migrated to Python 3 (Bug 52257)

§9.9.9. SSL

  • OpenSSL has been updated to version 1.1.1d. This raises the minimal required TLS protocol version to TLS 1.2.
  • The package univention-ssl has been migrated to Python 3 (Bug 52281)

§9.9.10. Celery services

  • The package univention-celery has been removed (Bug 51486)

§9.9.11. DHCP server

  • The Python code has been converted to Python 3 (Bug 52259)

§9.9.12. PAM / Local group cache

  • Fix LDAP filter syntax in Univention Directory Listener module faillog.py (Bug 28645)
  • Several potential buffer overruns have been fixed in pam-univentionmailcyrus (Bug 51981)
  • The package univention-skel has been removed. Newly created $HOME directories can now be provisioned using the standard directory /etc/skel/. Customers relying on files under /etc/univention/skel/ should migrate the files to the new location (Bug 43211)
  • The packages univention-passwd-cache and univention-passwd-store have been removed (Bug 52056)
  • The package univention-pam has been migrated to Python 3 (Bug 52250)

§9.9.13. NFS

  • The package univention-nfs has been migrated to Python 3 (Bug 52269)

§9.9.14. Bacula and Backup

  • The component package univention-bacula has been removed in favor of the different backup Apps available from Univention App Center (Bug 46588)
  • The package univention-remote-backup has been removed (Bug 52120)

§9.9.15. Other services

  • The packages univention-snmp and univention-snmpd have been removed (Bug 52121)
  • The package univention-directory-logger has been migrated to Python 3 (Bug 52301)
  • The package univention-server-overview has been migrated to Python 3 (Bug 51328)

§9.10. Virtualization

  • All packages related to running virtual machines on UCS have been removed (Bug 51982)
  • In case the libvirt-daemon is still installed, the services libvirtd.service resp. virtlogd.service are stopped and masked prior to the update to UCS 5.0. After the update, both services are set to the old state (enabled, disabled, masked) (Bug 52974)

§9.11. Services for Windows

§9.11.1. Samba

  • Samba has been updated to version 4.13.7 (Bug 49898). It also includes the patch for the security issue CVE-2021-20254 (Bug 53069). Some highlights, quoting upstream release notes:

    • Extensive efforts have been made to optimized Samba for use in organizations (for example) targeting 100,000 users, plus 120,000 computer objects, as well as large number of group memberships. Many of the specific efforts are detailed below, but the net results is to remove barriers to significantly larger Samba deployments compared to previous releases.
    • The LDAP server has improved memory efficiency, ensuring that large LDAP responses (for example a search for all objects) is not copied multiple times into memory.
    • Search performance on large LDB databases has been improved by reducing memory allocations made on each object.
    • Samba uses a new index format allowing Samba to efficiently select objects changed since the last replication cycle, using LDAP search filter relations <= and >=. This in turn improves performance during replication of large domains.
    • Please note that the default backend key value store TDB, used by Samba/AD for its sam.ldb database, is size limited. This should be considered when designing or growing a domain into larger dimensions. Since this is a limit of the backend key value store, it doesn't directly translate into a fixed limit for LDAP objects, as it depends on the number of attributes, if the attributes are indexed and other factors like these. The size limit of TDB is due to its 32-bit data model. This may impact update scenarios in particular, where Samba/AD re-keys and re-indexes the data transparently on the first startup. Since this happens in a single transaction, the storage requirement doubles temporarily. To avoid issues, UCS checks the current size of the SAM backend databases before updating and will abort with a warning if the update may run in danger to render Samba/AD into a non-functional state. Workarounds for this are conceivable, but the exact details depend on the topology of the specific UCS domain. In particular, Samba/AD offers an alternative implementation for the key value store, which is based on the same LMDB database technology that backs the high consistency and performance demands of OpenLDAP.
    • To improve performance during batch operations i.e. joins, LDB now accepts a batch_mode option. However to prevent any index or database inconsistencies if an operation fails, the entire transaction will be aborted at commit.
    • Default AD schema for new installations changed from 2008_R2 to 2012_R2. 2012_R2 functional level is not yet available.

    Some notable changes:

    • SMB1 is disabled by default. The default for the smb.conf parameters server min protocol and server min protocol has been increased from NT1 to SMB2_02. This means clients without support for SMB2 or SMB3 are no longer able to connect to smbd (by default). It also means client tools like smbclient and other are no longer able to connect to servers without SMB2 or SMB3 support (by default). As Microsoft no longer installs SMB1 support in recent releases or un-installs it after 30 days without usage, the Samba Team tries to get remove the SMB1 usage as much as possible. SMB1 is officially deprecated and might be removed step by step in the following years.
    • The default for the --model argument passed to the samba executable has changed from standard to prefork. This means a difference in the number of samba child processes that are created to handle client connections. The previous default would create a separate process for every LDAP or NETLOGON client connection. For a network with a lot of persistent client connections, this could result in significant memory overhead. Now, with the new default of prefork, the LDAP, NETLOGON, and KDC services will create a fixed number of worker processes at startup and share the client connections amongst these workers. The number of worker processes can be configured by the prefork children setting in the smb.conf (the default is 4). Currently this is not yet configurable via Univention Configuration Registry variable, but can be adjusted via /etc/samba/local.conf. If this becomes a popular request, adding the configuration option via Univention Configuration Registry variable may be useful in the future.
    • Samba 4.11 has changed how the AD database is stored on disk. Samba/AD users should not really be affected by this change when upgrading from 4.10. The database will automatically get rewritten in the new 4.11 format when you first start the upgraded samba executable. However, when downgrading from 4.11 you will need to manually downgrade the AD database yourself. When either upgrading or downgrading, users should also avoid making any database modifications between installing the new Samba packages and starting the samba executable.
    • Since the Samba 4.12 release, support for DES encryption types has been removed, and setting DES_ONLY flag for an account will cause Kerberos authentication to fail for that account (see RFC 6649). DES keys no longer saved in the AD DB. When a new password is set for an account, Samba DCs will store random keys in DB instead of DES keys derived from the password.
    • The smb.conf parameter encrypt passwords is deprecated (Default: yes). The Univention Configuration Registry variable samba/encrypt_passwords has been obsoleted by this.
    • The default for the smb.conf parameter mangled names has changed from yes to illegal.
    • The smb.conf parameter blocking locks is deprecated and the samba-shares.py listener module doesn't write it into share configurations any longer.

    For more information see also:


    Please avoid to set server schannel = no and server schannel = auto on all Samba domain controllers due to the well-known ZeroLogon issue. For details see CVE-2020-1472.


    Please consult UCS documentation sources before attempting to change settings from the UCS defaults, which are not (yet) accessible via Univention Configuration Registry variables. Only settings described in the UCS manual are officially supported.

  • Samba/AD now evaluates Active Directory ACLs for LDAP searches by default. Technically this was done by changing the default for the Univention Configuration Registry variable samba/acl_search to yes (Bug 51522)
  • The package cifs-utils is now installed by default (Bug 39259)
  • The scripts in univention-samba and univention-samba4 are now running with Python 3 (Bug 52045)
  • univention-samba has been adjusted to properly restart samba during package updates in case smbd was running (Bug 47367)
  • The package univention-samba-slave-pdc has been removed (Bug 52943)
  • The package univention-samba4wins has been removed (Bug 51497)
  • The package univention-samba4 now installs /usr/share/univention-samba4/scripts/migrate_legacy_dns_zones.sh (Bug 53093)

§9.11.2. Univention AD Takeover

  • AD-Takeover now runs with Python 3 (Bug 51324)

§9.11.3. Univention S4 Connector

  • The univention-s4-connector is now running with Python 3 (Bug 52043)
  • The listener module s4-connector has been adjusted to avoid repeated restarts of the univention-s4-connector in quick succession during module initialization (Bug 52681)
  • The name of the Univention Configuration Registry variable connector/s4/mapping/sid/sid_to_ucs has been fixed in the registration to match the name connector/s4/mapping/sid_to_ucs which is actually set and used (Bug 53023)

§9.11.4. Univention Active Directory Connection

  • The univention-ad-connector is now running with Python 3 (Bug 52044). The logfile /var/log/univention/connector.log has been renamed to /var/log/univention/connector-ad.log. The script univention-connector-list-rejected has been renamed to univention-adconnector-list-rejected. The mapping has been migrated from a Univention Configuration Registry template into a Python file (/etc/univention/connector/ad/mapping.py).
  • The obsolete dependency on pysqlite2 has been removed (Bug 51484)
  • The Univention Management Console module now runs with Python 3 (Bug 51336)
  • The admember code now runs with Python 2 as well as with Python 3 (Bug 51324)

§9.12. Other changes

  • All links to forum.univention.de have been updated to point to https://help.univention.com/ now (Bug 43926)
  • The package univention-java has been removed (Bug 51983)
  • The desktop package univention-kde has been removed (Bug 51977)
  • The package univention-ftp has been removed (Bug 51980)
  • univention-debhelper now propagates failures and aborts if calling programs fail (Bug 50100)
  • The package dansguardian has been removed (Bug 51483)
  • The package univention-debootstrap has been removed(Bug 52124)
  • The package univention-ucs-translation-template has been renamed to univention-l10n. To simplify software development it now provides the sequence univention-l10n to be used with dh --with univention-l10n in debian/rules instead of calling univention-l10n-* directly (Bug 51656)
  • All deprecated univention.debug.function() calls have been removed from the code (Bug 51200)



[ucs-performance-guide] Univention GmbH. 2022. UCS performance guide. https://docs.software-univention.de/performance-guide-5.0.html.


[developer-reference] Univention GmbH. 2022. Univention Developer Reference. https://docs.software-univention.de/developer-reference-5.0.html.