UCC 2.0 release notes

Release notes for the installation and update of Univention Corporate Client (UCC) 2.0

Table of Contents

1. Release highlights
2. Postprocessing of the update
3. Notes on selected packages
3.1. User switches using su
3.2. Terminal services based on X11 forwarding
3.3. RDP logins and PAM home mounts after a password change at LightDM
4. Changelog
4.1. General
4.2. System boot / initial ramdisk
4.3. Image rollouts and image updates
4.4. Image build and image management
4.5. UCS domain integration
4.5.1. Domains joins of UCC clients
4.5.2. Univention Management Console integration
4.5.3. PXE service
4.6. UCC standard images
4.6.1. UCC desktop image
4.6.2. UCC thin client image
4.7. User logins
4.8. Terminal sessions
4.8.1. Citrix XenApp
4.8.2. RDP
4.8.3. XRDP
4.9. Hardware support
4.10. System services
4.11. Client management

Chapter 1. Release highlights

With Univention Corporate Client 2.0 the first major release update of Univention Corporate Client (UCC) is now available. It provides several improvements and bugfixes:

  • The underlying Ubuntu base has been updated to Kubuntu 14.04. Consequently, a great deal of software components have been renewed: KDE 4.13, Linux kernel 3.13, Libreoffice 4.2.3, Xorg 15. All the Univention packages imported from UCS have been updated to the version of UCS 3.2-2.

  • The initial configuration of Univention Corporate Client is now performed via a wizard in the Univention Management Console. This considerably simplifies the initial setup. In addition, the UCC images can now be administrated in their own UMC module.

  • Support for operating xrdp terminal services has been integrated: A KDE Linux desktop is provided via the RDP protocol. In addition to access from UCC thin clients, this also allows access from Windows or MacOS X computers. The RDP access is very bandwidth efficient.

  • For licensing reasons, it is not possible to distribute the Citrix Receiver with UCC. The installation is now integrated in the Univention Management Console setup wizard, reducing the installation efforts to just a few clicks.

  • A great number of improvements have been made to the UCC image build system, and as such the generated images are now smaller in size, among other things.

  • UCC now also supports the rollout of systems in the UEFI boot standard.

  • The operation of UCC systems with an encrypted hard drive has been considerably facilitated; the corresponding option can now be configured easily in the Univention Management Console.

  • UCC systems can now be configured to avoid PXE boots and start directly from their local storage. This reduces the bootup time.

  • The configuration of UCC systems has been simplified; print servers, CIFS home shares and proxy settings can now be centrally configured through policies.

  • UCC now uses NeutrinoRDP as its standard RDP client. Among other things, this offers support for multi-monitor operation.

  • A whole range of bug fixes and smaller improvements have been integrated. UCC can now also be monitored with Nagios, for example.

Chapter 2. Postprocessing of the update

UCS installations, in which the master domain controller was installed in a release older than 2.3 still use MD5 as the hashing algorithm for the SSL certificates. Later releases use SHA1 as the hashing algorithm. UCC clients cannot join a domain still using MD5 hashes. The necessary steps to migrate a UCS domain from MD5 to SHA1 are documented in the Univention Support Database (http://sdb.univention.de/1150).

Chapter 3. Notes on selected packages

3.1. User switches using suFeedback

Switching from one non-root user account to another non-root user account with the su command doesn't work. Switching to the root account is not affected. The underlying bug cannot be easily fixed as it would lead to invasive changes. As a workaround it is possible to first switch to root and then switch to the user account, e.g.

$ su root
$ su testuser

More information can be found at https://forge.univention.org/bugzilla/show_bug.cgi?id=30243.

3.2. Terminal services based on X11 forwardingFeedback

Terminal services based on X11 forwarding are no longer supported. The corresponding Univention Management Console policy still exists, but is now only used by UCC 1.0 systems. This policy will be removed in a subsequent UCC version.

3.3. RDP logins and PAM home mounts after a password change at LightDMFeedback

If the user password is changed during the login at the LightDM Login Manager (e.g., because the Change password on next login user option is activated or because a password has expired), the password change is effected via Kerberos. This Kerberos password change is not "visible" for PAM modules executed after authentication. The RDP session script and the PAM module for mounting the home directory via CIFS, however, access the cached password and, as a result, the login fails the first time. The correct password is then available for the second login attempt.

Chapter 4. Changelog

Listed are the changes since UCC 1.0:

4.1. GeneralFeedback

  • UCC was updated to Kubuntu 14.04. The original Kubuntu LSB values are now retained. This fixes the compatibility with packages/services depending on specific values (Bug 32627).
  • Patches applied to UCC 1.0 were migrated to UCC 2.0 (if applicable) (Bug 33760). The UCS packages imported in UCC were updated to the versions in UCS 3.2-2. Among other improvements this allows blacklisting kernel modules using the Univention Configuration Registry variable kernel/blacklist (Bug 30177). The apt source for errata updates has been updated for UCC 2.0 (Bug 31150).

4.2. System boot / initial ramdiskFeedback

  • The Plymouth bootsplash init scripts have been fixed to keep Plymouth displaying during software updates and correctly display messages from the filesystem check (Bug 31126, Bug 34814, Bug 30575).
  • Start the loopback interface on system boot which improves boot times if the LDAP server is unreachable (Bug 30441).
  • The parsing of several initramfs parameters has been corrected (Bug 31367).
  • Do not backup old initramfs files. Create new initramfs files in temporary directory (not in /boot). Use /tmp or /ucc_root for this (the directory with more free space is used) (Bug 31015).
  • A quoting bug in the UCR subtemplate /etc/grub.d/15_ucc has been fixed (Bug 32631).

4.3. Image rollouts and image updatesFeedback

  • A new boot variant option for repartitioning and initial rollout has been added. The checkbox for repartitioning has been removed (Bug 30466).
  • /etc/ldap.secret was added to the list of persistent files (Bug 30463). Also add symlink support to univention-ucc-sync-persistent-files.
  • Clarify the error message displayed in case an image could not be found (Bug 30994).
  • An additional boot option local boot is now available, which tells the client's PXE environment to exit and resume the normal boot order. (Bug 32114).
  • Only update the Grub bootloader if a new image was downloaded during an update check (Bug 30069).
  • Reset the boot variant only if a new image was downloaded during an update check (Bug 34762).
  • The access permissions for the directory /ucc_root have been restricted (Bug 34671).
  • Improved error handling in parsing boot options, it now always outputs a sensible boot option (Bug 31683).
  • The boot parameter force_partition can be used to enforce repartitioning without user confirmation (Bug 30427).
  • The local buffer of free space on a UCC root device (needed for handling persistent data) has been reduced to 10 MB (Bug 32311).
  • The new boot option partition_script for UCC clients has been added. This option defines a script to use for partitioning instead of the partitioning settings from the image. The script must be placed in the /var/lib/univention-client-boot/partition-scripts directory on all UCS UCC PXE servers (Bug 34612).
  • During the update to a UCC 2.0 image the Univention Configuration Registry variable nameserver1 is automatically set to the new default if the previous value was the UCC 1.0 default (Bug 34646).

4.4. Image build and image managementFeedback

  • Several improvements and bugfixes were made to the image toolkit:

    • Use the same base multiplier when calculating the image size as the initramfs (Bug 30063).
    • Create all files in the working directory and move them to the target directory at the end (Bug 31634). Also, handle the targetdir option correctly (Bug 31634).
    • If and what packages should be set to hold can be configured the parameter packages_hold (Bug 34489).
    • Improve logging by logging executed commands (Bug 31634).
    • Always install UCC base packages (Bug 31634).
    • To reduce the required image size during image creation the system is now installed in a directory outside the image. Finally, the installed system is copied into the image (Bug 31942).
    • Temporarily set the nameserver during image build. This fixes build errors on UCS member servers (Bug 30286).
    • A superflous empty line at the beginning of generated join scripts has been fixed (Bug 34746).

  • Display the progress when uncompressing UCC images (Bug 33933). Write compression progress to stdout (Bug 31634).
  • The build of UCC images using the UEFI boot standard is now possible: The package ucc-image-toolkit provides /usr/share/doc/ucc-image-toolkit/example/ucc-desktop-efi.cfg.gz as an example configuration for UEFI partitioning (Bug 33978).
  • The new package univention-ucc-bootstrap ships dummy init scripts for systemd-logind, modemmanager, whoopsie and ofono. These packages ship Upstart jobs, but no SysV init scripts (which are needed during image creation in chroots) (Bug 33782).
  • Several improvements were made to ucc-image-set-join-information

    • A password parameter has been added (Bug 31784).
    • The parameter handling has been fixed (Bug 30601).

4.5. UCS domain integrationFeedback

4.5.1. Domains joins of UCC clientsFeedback

  • The SSH host keys are now recreated during domain join. They are also tracked as persistent files (Bug 30163).
  • rdate has been added to the dependencies of univention-ucc-join. This ensures that the system time is synchronised correctly (Bug 34869).
  • The determination of the Kerberos key version number of the UCC host account during the domain join has been fixed (Bug 30471).
  • During the domain join the group and user database is now actualised before running the join scripts (Bug 30760).
  • The handling of the domain join password file during automated rollouts has been fixed (Bug 33802).

4.5.2. Univention Management Console integrationFeedback

  • A configuration wizard for thin clients and desktop clients has been added to facilitate the initial configuration of UCC (Bug 34360).
  • A UMC module to download and remove UCC images has been added (Bug 30379).
  • A simplified wizard for the creation of UCC computers has been added (Bug 32942). The MAC address is an required attribute now (Bug 34757). A traceback when creating UCC computer objects has been fixed (Bug 34378).
  • UMC icons for UCC policy objects have been added (Bug 30366). The description of a UMC module has been fixed (Bug 32433).
  • An unjoin script for univention-corporate-client-schema has been added, which removes the UCC service once the last UCC app in the domain was removed (Bug 30852).

4.5.3. PXE serviceFeedback

  • A Univention Configuration Registry module has been added to immediately apply changes of the ucc/pxe/* variables to all existing PXE configuration files for UCC clients, e.g. setting ucc/pxe/loglevel changes the loglevel kernel parameter in all PXE configuration files (Bug 29904).
  • Obsolete code has been removed from the listener module that creates the PXE configuration files for UCC clients (Bug 30347).
  • The join script 91ucc-pxe-boot.inst from ucc-pxe-boot now ensures that the default-settings policies/dhcp_boot policy exists (Bug 3561).
  • The package ucc-pxe-boot now contains the files /var/lib/univention-client-boot/ldlinux.e32 /var/lib/univention-client-boot/ldlinux.e64 /var/lib/univention-client-boot/syslinux.efi32 /var/lib/univention-client-boot/syslinux.efi64 which enable UEFI-PXE booting by selecting the syslinux.efi64 (or syslinux.efi32) as the "boot_filename" (UDM module "policies/dhcp_boot") (Bug 33978).

4.6. UCC standard imagesFeedback

4.6.1. UCC desktop imageFeedback

  • The new meta packages univention-ucc-i18n-de, univention-ucc-i18n-en, univention-ucc-i18n-es, univention-ucc-i18n-fr and univention-ucc-i18n-nl install all dependencies needed for a localised Kubuntu desktop (Bug 34517).
  • The package language-pack-gnome-* has been added for all languages that are available by default (en, de, es, fr, nl). It adds internatiolisation for the Power off button in the LightDM login manager. Note that this package hasn't been added to the thin client image due to size constraints. It can be added to custom images (Bug 31807).
  • The bash-completion package has been added to the desktop image (Bug 30254).
  • The optional univention-ucc-italc package provides iTALC for Univention Corporate Client (Bug 30830). The package univention-ucc-ucsschool-integration installs all required packages for using UCC with UCS@school (Bug 30829, Bug 31902, Bug 31906, Bug 31976, Bug 31976,). More information can be found in the UCS@School user manual

4.6.2. UCC thin client imageFeedback

  • Kernel updates on the standard thin client image has been disabled by marking the package linux-image-generic as hold (Bug 34489).

4.7. User loginsFeedback

  • The monolithic Univention Configuration Registry template for /etc/pam.d/lightdm has been split into a multifile template (Bug 31409). The Univention Configuration Registry variable description of univention-lightdm has been improved (Bug 30933). The obsolete Univention Configuration Registry variable lightdm/wallpaper has been removed (Bug 30426).
  • The PAM module for creating the home directory during login (pam_mkhomedir) was not executed under all circumstances, this has been fixed (Bug 34790). The default umask has been changed to 0066 (Bug 31303).
  • The LXDE session can now also be forced (Bug 30420).
  • Outdated Univention Configuration Registry templates for the KDE display manager have been removed (Bug 34512).
  • The new Univention Configuration Registry variable lightdm/autologin/user allows the configuration of the user under which the automatic login should occur. If the variable is unset, a temporary guest user is used as before (Bug 30617).
  • The univention-ucc-theme package now depends on libglib2.0-bin (Bug 30579).
  • A bug was fixed that deleted the LightDM PAM configuration during updates (Bug 32119).

4.8. Terminal sessionsFeedback

4.8.1. Citrix XenAppFeedback

  • The Citrix session is now correctly running in fullscreen if the autologin is used (Bug 30358).
  • Implement a post session menu if XenApp is selected as the automatic session. It allows to restart the session, switch back to LightDM or shutdown the system (Bug 32043).
  • A new tool (ucc-image-add-citrix-receiver) has been created which integrates the Citrix Receiver into a UCC image; the necessary dependencies are installed and the Receiver installed afterwards. It is part of ucc-image-toolkit. (Bug 34452).
  • New Univention Configuration Registry variable citrix/accepteula: If set to true, a configuration file is added to the user's home which accepts the EULA of Citrix Receiver. (Bug 34452).
  • New Univention Configuration Registry variable citrix/pulseaudio: If set to true, the xenapp session script starts the Pulseaudio daemon for the user (Bug 34227).

4.8.2. RDPFeedback

  • The handling of the Univention Configuration Registry variable rdp/geometry has been fixed. Previously it was always overriden by the fullscreen setting (Bug 31951).
  • The Univention Configuration Registry variable rdp/additionaloptions now allows setting more options (Bug 31717).
  • The Univention Configuration Registry variable rdp/checktls has been renamed to rdp/tlsencryption. The handling of the Univention Configuration Registry variable rdp/ignorecertificate has been fixed (Bug 34874).

4.8.3. XRDPFeedback

  • univention-xrdp provides integration of remote UCC terminal services based on XRDP (Bug 29893). The terminal services based on X11 forwarding have been removed (Bug 33871).
  • The temporary KDE directory is now stored in .kde-cache in the user's home directory instead of /var/tmp/kdecache-*. This prevents filling up the /var partition on terminal servers with many users Bug 31863).

4.9. Hardware supportFeedback

  • Several changes have been made to univention-ucc-remote-mount:
    • It is now disabled on desktop images (Bug 30552).
    • ram* and loop* devices are now ignored (Bug 30468).
    • The udev handling for ATA CD-ROM devices has been fixed: The udev script now tries to speed up ATA cdrom devices with the eject tool. Problems with changing CD/DVDs in a drive were fixed (Bug 31685, Bug 31713).
    • The automounter directory cleanup has been improved: It now removes directories in more cases, even if file handles are still open after a drive has been removed. (Bug 34878).
  • The LightDM startup script for multimonitor configuration has been fixed (Bug 30402).
  • Kernel modesetting has been disabled for the Cirrus driver due to a problem initializing the framebuffer (Bug 34448).
  • univention-corporate-client now depends on Network Manager (before that change it was still present, but installed indirectly (Bug 30297).

4.10. System servicesFeedback

  • The logging on UCC clients is now using the RELP protocol instead of UDP. This ensures that logfiles are more complete (Bug 34863).
  • The Univention Configuration Registry template for the krb5.conf config file now also supports the dns_lookup_kdc option (Bug 32080).
  • By default, univention-ucc-update-nss copies the nss user data from the UCS server only if the user is not already known. This test can be disabled by setting the Univention Configuration Registry variable ucc/nss/update/force to true (Bug 31864).
  • A traceback in ldap-passwd-to-file.py has been fixed (Bug 32958).

4.11. Client managementFeedback

  • Two new Univention Configuration Registry variables have been added to preconfigure proxy settings for Firefox and KDE: ucc/proxy/http configures the URL of the proxy server and ucc/proxy/autoconfig/url the URL of the proxy PAC (Bug 31905, Bug 32580)
  • Nagios support has been added for UCC computer objects (Bug 31276).
  • The new package univention-ucc-cifshome-pam-mount installs a mechanism to automatically mount a CIFS share as home directory during user login. Server, share name and mount options may be defined via the Univention Configuration Registry variables ucc/mount/cifshome/server, ucc/mount/cifshome/share and ucc/mount/cifshome/options (Bug 32057).
  • The new Univention Configuration Registry variable ucc/cups/server allows to configure Cups server(s) (Bug 32056, Bug 32515). After connection timeouts to a Cups server, a reconnect is now performed (Bug 30911).
  • New Univention Configuration Registry variables have been added to configure the APT sources: The content of all Univention Configuration Registry variables of the format ucc/apt/ID (whereby "ID" can be anything) are written to the file /etc/apt/sources.list.d/ucc.list (Bug 30748).
  • Several improvements were made to univention-ucc-software-update

    • Exit software update script when a reboot is necessary (Bug 31061)
    • Check for package existence before (un-)installing it (Bug 34124).
    • Old and unused kernel package are automatically removed from UCC clients using univention-ucc-prune-old-kernel-packages (Bug 32166, Bug 31012).
    • Logging of software updates has been improved (Bug 34123).
    • A typo in a status message during software updates has been fixed (Bug 34026).
    • Package source lists are no longer updated for each package that is to be installed (Bug 32575).
    • Added DEBIAN_FRONTEND=noninteractive to (Bug 31010).
    • An update run of univention-ucc-software-update can now be forced with the new option --force (Bug 32296).