Table of Contents
With Univention Corporate Server 5.0-0, the fifth major release of Univention Corporate Server (UCS) is now available. It provides several feature improvements and extensions, new properties as well as various improvements and bugfixes. Here is an overview of the most important changes:
This new major Univention Corporate Server release is based on Debian 10.9 Buster. A lot of packages have been updated from upstream. This includes for example the Linux Kernel (4.19), PostgreSQL (11), Python 3 (3.7) and Samba (4.13.7).
The portal has been updated to become the central hub for Univention Corporate Server users.
Apps and web pages can be opened as inline frames (iframe) within the portal.
This enables users to quickly open and switch apps.
Organizations are given the ability to strengthen their identity by having their apps on a central page.
With Python as the language of choice for many Univention Corporate Server components, most have been converted to run with Python 3.7. Python 2.7 is still supported with UCS 5.0, but will be removed with UCS 5.1.
The Univention Management Console now uses a dark colored theme. A light colored theme will be added as an update at a later date.
The system roles have been renamed.
"master domain controller" is renamed to "Primary Directory Node", "backup domain controller" to "Backup Directory Node", "slave domain controller" to "Replica Directory Node" and "member server" to "Managed Node".
This is an ongoing process, in this release the documentation and UI texts have been adjusted.
Software installation is now done exclusively via the App Center. The Software Selection during the initial Configuration of a Univention Corporate Server node has been removed.
Multiple apps can now be installed in a single step which simplifies app management. Dependencies between apps will now be be automatically resolved by installing multiple apps if necessary. The functionality to install multiple apps at once through the App Center replaces the Software Selection during the setup process.
To determine if a Univention Corporate Server is ready to upgrade from 4.4 to 5.0 can be checked by using this script. univention-upgrade will not proceed with the upgrade if these checks are not successful. See also Chapter 6 for a more in depth manual about the preparation for the upgrade.
The Univention Corporate Server package sources have been reduced to a fixed number of two, one for the release and one for errata updates. This speeds up updating the apt package meta data cache especially for upcoming UCS 5 releases. Due to some necessary changes on the Univention repository server, a local UCS 4.x repository will not be able to serve UCS 5.x packages, please check Chapter 4.
Univention Configuration Registry variables can now have a default value which is returned if the variable is unset. Please note that not all packages have been updated to use this feature and still define default values in templates.
The Linux Kernel, including the signed version for UEFI secure boot, shipped with Univention Corporate Server 5 is now identical with the Kernel in Debian.
A new welcome module has been added to the Univention Management Console to guide administrators through the first steps of using Univention Corporate Server like requesting a license or installing apps.
For easier and a more uniform service management the services Univention Directory Listener, Univention Directory Notifier and univention-dhcp have been converted from runit services to native systemd services.
A thorough list of changes and fixes included in this release can be found in Chapter 9 at the end of this document.
Prerequisite for updating is at least UCS 4.4-8 with UCS 4.4-8 erratum 972. Only then the available update will be shown. Is is recommended to install all other pending errata too before the update is started.
If the update is started via Univention Management Console:
Before the actual update starts, some tests are performed, e.g. if all installed Apps would be available on UCS 5.0.
At this point, the web interface is already in maintenance mode and nothing is shown but a progress bar.
If one test fails, the update will be canceled and a message is written to /var/log/univention/updater.log.
To read these in the web frontend, log in to Univention Management Console, open the module and click on "View log file".
During the update some services in the domain may not be available temporarily, that is why the update should occur in a maintenance window. It is recommended to test the update in a separate test environment prior to the actual update. The test environment should be identical to the production environment. Depending on the system performance, network connection and the installed software the update will take between 20 minutes and several hours. In large environments it may be useful to consult the [ucs-performance-guide].
In environments with more than one UCS system, the update order of the UCS systems must be borne in mind:
The authoritative version of the LDAP directory service is maintained on the Primary Directory Node (formerly referred to as master domain controller) and replicated to all the remaining LDAP servers of the UCS domain. As changes to the LDAP schema can occur during release updates, the Primary Directory Node must always be the first system to be updated during a release update.
UCS 5 is only provided for the x86 64 bit architecture (amd64). Existing 32 bit UCS systems cannot be updated to UCS 5.
For UCS 5 several integration packages have been removed.
univentionObjectType of type uvmm/profile and uvmm/info should be removed.
In the area of cryptography the minimal TLS protocol version has been raised to 1.2.
For OpenSSL this is enforced by the parameter MinProtocol in /etc/ssl/openssl.cnf.
As a consequence, TLS connections to external systems should be checked for TLS 1.2 support before updating to UCS 5.0, as they are likely to fail after the update.
This affects AD-Connector setups synchronizing UCS with Microsoft Server versions older than 2012R2, if they are configured to use an encrypted connection.
Additionally the OpenSSL default CipherString configuration is DEFAULT@SECLEVEL=2 in UCS 5.0.
This additionally restricts the available ciphers for communication, which rules out SHA1 in particular.
E.g. Windows Server 2012 supports less ciphers that Windows Server 2012R2 by default.
Samba has been updated to version 4.13.7 and also includes the patch for the security issue CVE-2021-20254 from 4.13.8. More details about this and the following points can be found in the changelog below.
During updates to UCS 5 Samba will convert the database to a new index format.
Since this is a transaction based operation the required storage capacity of the sam.ldb files will double temporarily for this operation.
By default Samba uses the TDB key value database format as backing store, which is limited to a size of 4GB.
Before the UCS update, a check is performed, if any of the five database backing files is already close to half of that size.
In that case, the update is blocked to avoid non-functional Services for Windows after the update,
and a link to a migration guide will be shown.
Support for the SMB1 protocol variant is disabled by default as it is insecure for todays standards.
Support for DES Kerberos encryption types has been removed.
Apps like UCC and Open-Xchange used to install special packages on Primary Directory Node and Backup Directory Node to extend the LDAP server with schema and ACL rules. These packages are not needed anymore, these extensions are now distributed via Univention Directory Listener. The packages should be removed before the upgrade is started to avoid incompatibilities with Python 3. Packages that are known to be incompatible are: univention-corporate-client-schema, univention-ox-dependencies-master and univention-ox-directory-integration. The system will also be checked for incompatible package as a preparation for the upgrade, see also Chapter 6.
Join scripts are now always executed with the safe option --bindpwdfile instead of passing the credentials directly as command line option.
Please note that simultaneous operation of UCS and Debian on a UEFI system starting with UCS 5.0-0 is not supported.
The reason for this is the GRUB boot loader of Univention Corporate Server, which partly uses the same configuration files as Debian. An already installed Debian leads to the fact that UCS cannot be booted (any more) after the installation of or an update to UCS 5.0. A subsequent installation of Debian will also result in UCS 5.0 not being able to boot.
At the following help article further hints to this topic are collected: https://help.univention.com/t/17768
This section is relevant for environments where a local repository is set up. The installed (major) version of UCS determines which packages a local repository provides. A repository running on a UCS server with version 4.x will only provide packages up to UCS 4.x, a repository server running on UCS 5 will only provide packages for UCS 5 and newer versions. To upgrade systems to UCS 5 in an environment with a local repository, the following are some of the options. First, a local UCS 5 repository server must be set up.
A new UCS 5 system is installed as a Primary Directory Node from the DVD or from a virtualized base image. Then a local repository is set up on this system as described in the UCS 5 manual.
A new UCS 5 system is installed with the system role Backup Directory Node, Replica Directory Node or Managed Node from the DVD or from a virtualized base image.
In system setup, select that the system will not join a domain.
Then set up a local repository on this system as described in the UCS 5 manual.
After the Primary Directory Node used in the domain is upgraded to UCS 5, the UCS 5 repository server can join the domain via univention-join.
To upgrade a system in the domain to UCS 5, the server should first be upgraded to the latest package level available for UCS 4.x.
Then the repository server used by the system is switched to the local UCS 5 repository by changing the Univention Configuration Registry variable repository/online/server.
The system can now be upgraded to UCS 5 via the Univention Management Console or via the command line.
The design and functionality of the portal in UCS 5 has been fundamentally revised. Adjustments may need to be made to the portal configuration after the update to UCS 5.
By default, single sign-on is not used when logging in to the portal. Details on enabling single sign-on are described in the manual.
The portal used or displayed by a server is determined by the Univention Configuration Registry variable portal/default-dn in UCS 5. After a change, the service univention-portal-server must be restarted.
A design customized for the UCS 4 portal using CSS needs to be reworked for the UCS 5 portal.
Portal content management will be done via new Univention Directory Manager modules, the settings existing under UCS 4 will be migrated during the update.
Manually crafted Python code needs to be checked for compatibility with Python 3.7 before the Update and adjusted accordingly. This includes Univention Configuration Registry templates containing Python code. Customized AD-Connector mapping templates are an example for this. See also the [developer-reference] for advice.
It must be checked whether sufficient disk space is available. A standard installation requires a minimum of 6-10 GB of disk space. The update requires approximately 1-2 GB additional disk space to download and install the packages, depending on the size of the existing installation.
For the update, a login should be performed on the system's local console as user root, and the update should be initiated there.
Alternatively, the update can be conducted using Univention Management Console.
Remote updating via SSH is not recommended as this may result in the update procedure being canceled, e.g., if the network connection is interrupted.
In consequence, this can affect the system severely.
If updating should occur over a network connection nevertheless, it must be verified that the update continues in case of disconnection from the network.
This can be achieved, e.g., using the tools tmux, screen and at.
These tools are installed on all UCS system roles by default.
Univention provides a script that checks for problems which would prevent the successful update of the system. Prior to the update, this script can be downloaded and executed on the UCS system.
# download
curl -OOf https://updates.software-univention.de/download/univention-update-checks/pre-update-checks-5.0-0{.gpg,}
# verify and run script
apt-key verify pre-update-checks-5.0-0{.gpg,} &&
bash pre-update-checks-5.0-0
...
Starting pre-update checks ...
Checking app_appliance ... OK
Checking block_update_of_NT_DC ... OK
Checking cyrus_integration ... OK
Checking disk_space ... OK
Checking hold_packages ... OK
Checking ldap_connection ... OK
Checking ldap_schema ... OK
...
Following the update, new or updated join scripts need to be executed.
This can be done in two ways:
Either using the UMC module or by running the command
univention-run-join-scripts as user root.
Subsequently the UCS system needs to be restarted.
Support for ifplugd has been removed.
Anonymous usage statistics on the use of Univention Management Console are collected when using the UCS Core Edition. The modules opened get logged to an instance of the web traffic analysis tool Piwik. This makes it possible for Univention to tailor the development of Univention Management Console better to customer needs and carry out usability improvements.
This logging is only performed when the UCS Core Edition license is used. The license status can be verified via the menu entry of the user menu in the upper right corner of Univention Management Console. If is listed under , this version is in use. When a regular UCS license is used, no usage statistics are collected.
Independent of the license used, the statistics generation can be deactivated by setting the Univention Configuration Registry variable umc/web/piwik to false.
Univention Management Console uses numerous JavaScript and CSS functions to display the web interface. Cookies need to be permitted in the browser. The following browsers are recommended:
Chrome as of version 85
Firefox as of version 78
Safari and Safari Mobile as of version 13
Microsoft Edge as of version 88
Users running older browsers may experience display or performance issues.
Listed are the changes since UCS 4.4-8:
lastlog can now be called by any user.
It shows the timestamp when users have logged on to the local machine.
This command reads the information from the file /var/log/lastlog.
Before UCS 5.0 this file was only readable by user root.
Debian and systemd have this file world readable be default.
UCS decided to follow this upstream policy, because a list of all users is accessible via getent passwd anyway (Bug 51579)
univention-s4-connector and univention-appcenter now start ucs_registerLDAPExtension with the options --ucsversionstart and --ucsversionstop to signal compatibility with Python 3 (Bug 51763)
univention-prune-kernels can be used to remove Linux kernel packages, which are no longer used and required (Bug 51769)
interfaces/.*/hosts has been added (Bug 33743)
univention-install-config-registry calls univention-install-config-registry-info and univention-install-service-info during package build time.
It now propagates failures and aborts if calling those programs fails (Bug 32658)
handler receives the same arguments for both module registration and on regular updates (Bug 30127)
.univention-config-registry-variables (Bug 38938)
ucr shell has been improved (Bug 31257)
ucr to be used with dh --with ucr in debian/rules instead of calling univention-install-* directly (Bug 51950)
univention.config_registry.interfaces is now using the ipaddress module instead of the ipaddr module (Bug 52017)
univention.service_info has been fixed (Bug 51524)
univention-baseconf has been removed (Bug 52016)
--bindpwd anymore (Bug 31996)
univention-run-join-scripts indicates errors now (Bug 35561)
univention-join.
It can be used in debian/rules files with dh --with univention-join to simplify the installation, registration and calling of join scripts.
It replaces univention-install-joinscript from the package univention-debhelper, which will be removed with UCS 5.1 (Bug 52211)
basic_ldap_auth returns BH Success instead of ERR Success in case of LDAP bind errors.
The encoding wrapper has been adjusted accordingly (Bug 51817)
cn=admin-settings,cn=univention is no longer created (Bug 31048)
/etc/ldap/slapd.conf has been improved (Bug 34003)
dns/txt_record (Bug 53192)
init script or runsv, for example /etc/init.d/univention-directory-listener start or sv start univention-directory-listener, need to be replaced with systemctl, for example systemctl start univention-directory-listener (Bug 43686, Bug 43687)
listener.SetUID() can be used as a Python context manager and function decorator.
The old API using listener.setuid() and listener.unsettuid() is deprecated and should no longer be used (Bug 52447)
nameserver1..3 and dns/forwarder1..3.
The name server type (external forwarder vs. domain name server) is detected based on heuristics.
This change prevents overwriting of the DNS configuration if the UCR template for the file /etc/resolv.conf is reevaluated (Bug 44462)
dns/master/port has been removed (Bug 32188)
dns/* are now stripped by default to prevent syntax errors (Bug 32188)
bind service to start during the system setup (Bug 53064)
portal/paths).
Consequently, different portal content can be served for different paths (Bug 52792)
lock_expired_passwords has been removed (Bug 46350)
--ignore_exists when the objects already exists (Bug 46931)
univention.admin.uexceptions.wrongObjectType when an object is opened with a wrong type (Bug 45096)
univention-cli-server have been removed (Bug 34836)
modify now supports the option --ignore_not_exists (Bug 52984)
--remove option for the Univention Directory Manager CLI command modify has been repaired for properties with complex syntax (Bug 41072)
preup.sh script executed before a system upgrade now fetches the version of the Primary Directory Node from LDAP instead of using ssh (Bug 40027)
univention-maintenance now waits for the DNS service before starting the package maintenance during boot-up (Bug 45119)
univention-add-app has been removed in favor of the command univention-app (Bug 46474)
univention-remove no longer updates the package cache before packages are removed (Bug 48019)
/etc/apt/sources.list.d/ with the suffix .upgrade500-backup.
The backup will be removed after a successful upgrade (Bug 52954)
univention-dhcp to isc-dhcp-server as used by upstream.
Any direct calls to the init script or runsv must to be replaced with systemctl, for example systemctl start isc-dhcp-server (Bug 43688, Bug 52828)
/etc/dhcp/dhclient-enter-hooks.d/ and /etc/dhcp/dhclient-exit-hooks.d/ returning an error no longer abort the dhclient-scipt.
If the old behavior is required a hook script can use exit as the scripts are sourced and not executed in sub-shells (Bug 53172)
quota.py has been migrated to Python 3 (Bug 52310)
dists/ repository layout, which was used between UCS 2.X and 4.x, is no longer supported.
Instead the new pool/-layout uses package index files below
dists/, which reference files from pool/ (Bug 51316, Bug 51588)
repository/online/component/4.*-*-errata are purged after the update (Bug 47192)
repository/online/unmaintained is no longer in use as of UCS 5.0.
However, the Univention Configuration Registry variable for components (repository/online/component/$comp/unmaintained) are still in use (Bug 51316).
To check if unmaintained packages are installed, the command univention-list-installed-unmaintained-packages can be executed (Bug 52715)
i386/, amd64/, all/) or in the directory level above (flat repository).
Starting with UCS 5.0, the new Univention Configuration Registry variable repository/online/component/$comp/layout must be used to define whether a flat repository (value flat) is to be used.
If the variable is not set, the other possible value arch is assumed, where the packages files are searched in the architecture directories (Bug 51316)
The semantics of the Univention Configuration Registry variable repository/online/component/ has changed.
The values $comp/versioncurrent and an unset variable now have the same meaning:
The component directory is always included and must exists; an update is blocked if it does not and APT resp.
Univention Updater will error out if it does not.
As an alternative a fixed list of $major.$minor5.0 5.1 5.2 component will not be used on a 5.3 system.
As a consequence the packages (or at least the Packages) files have to be copied for a new release if (and only if) the component should also be available for the new release.
This is cheap if the pool/-layout is used as then only the Packages file must be copied, which then references the same packages from the pool/ directory (Hint: using relative links with ../ is also okay) (Bug 51316)
/var/univention-backup/update-to-5.0-0/removed_with_ucs5_timestamp.ldif (Bug 51655)
groups/default/* and users/default/* has been added (Bug 33693)
UCS_Version in univention-updater has been merged into the implementation in univention-lib (Bug 32821)
slapdtest in univention.lib.ldap_extension has been improved (Bug 51648)
lookup_adds_dc in univention.lib.admember now runs dig with the option +nocookie to avoid FORMERR from Windows DCs (Bug 51652)
ucs_registerLDAPExtension now waits correctly for the registered Univention Directory Manager extension files to be replicated (Bug 52942)
fetchmail service will be disabled via the Univention Configuration Registry variable fetchmail/autostart for the time of the update to prevent restart issues during the update (Bug 52923)
dovecot-shared-folder.py) has been made to prevent problems with mixed upper and lowercase domain names (Bug 52241)
mail/dovecot/auth/allowplaintext was dropped from the package univention-mail-dovecot because of Dovecot no longer allowing to login with plain text passwords while using TLS/SSL (Bug 52724)
faillog.py (Bug 28645)
$HOME directories can now be provisioned using the standard directory /etc/skel/.
Customers relying on files under /etc/univention/skel/ should migrate the files to the new location (Bug 43211)
libvirtd.service resp. virtlogd.service are stopped and masked prior to the update to UCS 5.0.
After the update, both services are set to the old state (enabled, disabled, masked) (Bug 52974)
Samba has been updated to version 4.13.7 (Bug 49898). It also includes the patch for the security issue CVE-2021-20254 (Bug 53069). Some highlights, quoting upstream release notes:
sam.ldb database, is size limited.
This should be considered when designing or growing a domain into larger dimensions.
Since this is a limit of the backend key value store, it doesn't directly translate into a fixed limit for LDAP objects,
as it depends on the number of attributes, if the attributes are indexed and other factors like these.
The size limit of TDB is due to its 32-bit data model.
This may impact update scenarios in particular, where Samba/AD
re-keys and re-indexes the data transparently on the first startup.
Since this happens in a single transaction,
the storage requirement doubles temporarily.
To avoid issues, UCS checks the current size of the SAM backend databases before updating
and will abort with a warning if the update may run in danger to render Samba/AD into a non-functional state.
Workarounds for this are conceivable, but the exact details depend on the topology of the specific UCS domain.
In particular, Samba/AD offers an alternative implementation for the key value store, which is based on the same LMDB database
technology that backs the high consistency and performance demands of OpenLDAP.
batch_mode option.
However to prevent any index or database inconsistencies if an operation fails, the entire transaction will be aborted at commit.
2008_R2 to 2012_R2.
2012_R2 functional level is not yet available.
Some notable changes:
smb.conf parameters server min protocol
and server min protocol has been increased from NT1 to SMB2_02.
This means clients without support for SMB2 or SMB3 are no longer able to connect to smbd (by default).
It also means client tools like smbclient and other are no longer able to connect to servers without SMB2 or SMB3 support (by default).
As Microsoft no longer installs SMB1 support in recent releases or un-installs it after 30 days without usage, the Samba Team tries to get remove the SMB1 usage as much as possible.
SMB1 is officially deprecated and might be removed step by step in the following years.
--model argument passed to the samba executable has changed from standard to prefork.
This means a difference in the number of samba child processes that are created to handle client connections.
The previous default would create a separate process for every LDAP or NETLOGON client connection.
For a network with a lot of persistent client connections, this could result in significant memory overhead.
Now, with the new default of prefork, the LDAP, NETLOGON, and KDC services will create a fixed number of worker processes at startup and share the client connections amongst these workers.
The number of worker processes can be configured by the prefork children setting in the smb.conf (the default is 4).
Currently this is not yet configurable via Univention Configuration Registry variable, but can be adjusted via /etc/samba/local.conf.
If this becomes a popular request, adding the configuration option via Univention Configuration Registry variable may be useful in the future.
DES encryption types has been removed, and setting DES_ONLY flag for an account will cause Kerberos authentication to fail for that account (see RFC 6649).
DES keys no longer saved in the AD DB.
When a new password is set for an account, Samba DCs will store random keys in DB instead of DES keys derived from the password.
smb.conf parameter encrypt passwords is deprecated (Default: yes).
The Univention Configuration Registry variable samba/encrypt_passwords has been obsoleted by this.
smb.conf parameter mangled names has changed from yes to illegal.
smb.conf parameter blocking locks is deprecated and the samba-shares.py listener module doesn't write it into share configurations any longer.
For more information see also:
Please avoid to set server schannel = no and server schannel = auto on all Samba domain controllers due to the well-known ZeroLogon issue.
For details see CVE-2020-1472.
Please consult UCS documentation sources before attempting to change settings from the UCS defaults, which are not (yet) accessible via Univention Configuration Registry variables. Only settings described in the UCS manual are officially supported.
samba/acl_search to yes (Bug 51522)
/usr/share/univention-samba4/scripts/migrate_legacy_dns_zones.sh (Bug 53093)
s4-connector has been adjusted to avoid repeated restarts of the univention-s4-connector in quick succession during module initialization (Bug 52681)
connector/s4/mapping/sid/sid_to_ucs has been fixed in the registration to match the name connector/s4/mapping/sid_to_ucs which is actually set and used (Bug 53023)
/var/log/univention/connector.log has been renamed to /var/log/univention/connector-ad.log.
The script univention-connector-list-rejected has been renamed to univention-adconnector-list-rejected.
The mapping has been migrated from a Univention Configuration Registry template into a Python file (/etc/univention/connector/ad/mapping.py).
pysqlite2 has been removed (Bug 51484)
admember code now runs with Python 2 as well as with Python 3 (Bug 51324)
forum.univention.de have been updated to point to https://help.univention.com/ now (Bug 43926)
univention-l10n to be used with dh --with univention-l10n in debian/rules instead of calling univention-l10n-* directly (Bug 51656)
univention.debug.function() calls have been removed from the code (Bug 51200)
[ucs-performance-guide] Univention GmbH. 2022. UCS performance guide. https://docs.software-univention.de/performance-guide-5.0.html.
[developer-reference] Univention GmbH. 2022. Univention Developer Reference. https://docs.software-univention.de/developer-reference-5.0.html.