UCC 2.1 release notes

Release notes for the installation and update of Univention Corporate Client (UCC) 2.1

Table of Contents

1. Release highlights
2. Postprocessing of the installation
3. Notes on selected packages
3.1. Announcing discontinuation of XRDP terminal services for UCC 3
3.2. User switches using su
3.3. RDP logins and PAM home mounts after a password change at LightDM
4. Changelog
4.1. General
4.2. System boot / initial ramdisk
4.3. Image roll-outs and image updates
4.4. Image build and image management
4.5. UCS domain integration
4.5.1. Domains joins of UCC clients
4.5.2. Univention Management Console integration
4.5.3. UCC installation wizard
4.5.4. UCC image module
4.6. UCC standard images
4.6.1. General
4.6.2. UCC thin client image
4.7. Terminal sessions
4.7.1. Citrix
4.7.2. RDP
4.7.3. XRDP
4.8. Hardware support
4.9. System services
4.10. Client management

§Chapter 1. Release highlights

With Univention Corporate Client (UCC) 2.1 the first minor release update of UCC is now available.

  • UCC is now Citrix Ready certified. This allows Univention to provide the Citrix Receiver with UCC thin client images. Citrix Receiver is responsible for the connection to Citrix environments from a thin client operated with UCC. The UCC setup wizard still allows the manual installation of specific Citrix Receiver versions.

  • Support for UCC Image site servers has been added. UCC computer objects can now be configured to use a specific server to download UCC Images from.

  • UCC 2.1 images use the newer Linux kernel and Xorg X11 server version from Kubuntu Utopic by default. UCC 2.1 is based on Kubuntu 14.04 and will receive its software and security updates.

§Chapter 2. Postprocessing of the installation

UCS installations, in which the master domain controller was installed in a release older than 2.3 still use MD5 as the hashing algorithm for the SSL certificates. Later releases use SHA-1 as the hashing algorithm. UCC clients cannot join a domain still using MD5 hashes. The necessary steps to migrate a UCS domain from MD5 to SHA-1 are documented in the Univention Support Database (SDB 1150).

§Chapter 3. Notes on selected packages

§3.1. Announcing discontinuation of XRDP terminal services for UCC 3

With the release of Univention Corporate Client 2.1 Univention announces the discontinuation of XRDP terminal services on UCC for the next major release UCC 3.0. This does not affect functionality and support for XRDP UCC terminal services on UCC 2.

§3.2. User switches using su

Switching from one non-root user account to another non-root user account with the su command doesn't work. Switching to the root account is not affected. The underlying bug cannot be easily fixed as it would lead to invasive changes. As a workaround it is possible to first switch to root and then switch to the user account, e.g.

$ su root
$ su testuser

More information can be found at Bug 30243.

§3.3. RDP logins and PAM home mounts after a password change at LightDM

If the user password is changed during the login at the LightDM Login Manager (e.g., because the Change password on next login user option is activated or because a password has expired), the password change is effected via Kerberos. This Kerberos password change is not "visible" for PAM modules executed after authentication. The RDP session script and the PAM module for mounting the home directory via CIFS, however, access the cached password and, as a result, the login fails the first time. The correct password is then available for the second login attempt.

§Chapter 4. Changelog

Listed are the changes since UCC 2.0:

§4.1. General

  • Various small changes to the frontend to improve the UMC module layout (Bug 36772).
  • References to UCC 2.0 have been updated (Bug 38801).

§4.2. System boot / initial ramdisk

  • Hook directories have been added which make it possible to place arbitrary scripts in a UCC image which will be executed by the initramfs (Bug 31384).

§4.3. Image roll-outs and image updates

  • It is now possible to assign a default UCS image server for a UCC client. The UCC client will then download its image from the designated server (Bug 35410).

§4.4. Image build and image management

  • The ucc-image-add-citrix-receiver script now cleans out the local repository of retrieved package files (Bug 38741).
  • The ucc-image-add-citrix-receiver script now installs packages more reliably by using the dpkg parameters --force-confnew --force-overwrite --force-overwrite-dir (Bug 38905).
  • The image generation program ucc-image has been adapted to support creating large ISO files on UCS 4 (Bug 38906).

§4.5. UCS domain integration

§4.5.1. Domains joins of UCC clients

  • A bug was fixed which could lead to failing domain joins (Bug 37910).

§4.5.2. Univention Management Console integration

  • The UCC hardware settings policy tooltip has been adapted to use the correct xrandr parameter for querying the display devices (Bug 38678).

§4.5.3. UCC installation wizard

  • The layout of the UCC installation wizard has been changed since a Citrix receiver is now integrated into UCC thin client images. A custom receiver can optionally be uploaded (Bug 38806).

§4.5.4. UCC image module

  • The UCC image module has been updated to show available UCC 2.1 images (Bug 38912).

§4.6. UCC standard images

§4.6.1. General

  • An update adds an explicit dependency to the internationalisation (i18n) packages for Firefox: Updated language packages for Ubuntu Trusty dropped package dependencies, which would lead to potential removal of the Firefox i18n packages during updates (Bug 37219).

§4.6.2. UCC thin client image

  • Citrix Receiver and the Citrix Session are now shipped with the UCC thin client image (Bug 38181).
  • The directory / is now mounted with option 755 when using overlayfs (Bug 38925).
  • Two new binary packages are available that enable support for caching fallback system policies on a Thin Client image. univention-ucc-eval-policies-on-join writes system policies during the initial join process. univention-ucc-eval-policies-on-boot writes system policies during each local boot (Bug 35363).
  • Full partition devices (like /dev/sda or /dev/sdb) on removable USB devices are no longer mounted on to thin clients (UCC desktop systems are not affected), since this could lead to delays in freeing unmounted devices in terminal services like RDP or Citrix. The old behaviour can be restored by setting the UCR variable ucc/mount/fullpartition to true (Bug 36717).

§4.7. Terminal sessions

§4.7.1. Citrix

  • Dependencies to software packages to enable "Windows Media HDX playback" have been added to the package univention-ucc-session-xenapp (Bug 38741).
  • The package univention-ucc-usb-raw-printer has been added to create/remove local (raw) printer queues for USB printers in order to enable "Client Printer Redirection" (Bug 37889).
  • A UCR template has been added for the HDX USB redirect daemon rules file /opt/Citrix/ICAClient/usb.conf. USB redirect rules can be configured with the UCR variable ucc/xenapp/ctxusb/rules (Bug 38925).
  • The package univention-ucc-session-xenapp has been updated to set the UCR variable ucc/firefox/defaults/rememberSignons to 'user_pref("signon.rememberSignons",false);' by default. This prevents a recurring pop-up in Firefox when accessing Citrix terminal services (Bug 38932).

§4.7.2. RDP

  • The divide key available on the numeric block on some keyboards was mapped incorrectly when connecting to Windows terminal servers. Instead of the expected division sign, a minus sign was returned. This update corrects the keyboard mapping (Bug 35159).

§4.7.3. XRDP

  • A missing software dependency to univention-directory-listener has been added to univention-xrdp (Bug 38991).

§4.8. Hardware support

  • Desktop and thin-client image use a newer kernel (3.16) and xserver-core (1.16) version from Ubuntu Utopic (Bug 37970).

§4.9. System services

  • A problem with the caching of user passwords has been fixed (Bug 35333).

§4.10. Client management

  • The configuration file for the PAM CIFS mount no longer falls back to ldap/server/name if ucc/mount/cifshome/server is unset (Bug 35111).
  • The cifsmount stanza is now only written if ucc/mount/cifshome/server is set (Bug 35111).
  • The network timeout for ldap connections is now configurable with the new UCR variable ucc/ldap/network/timeout. The default is 10 seconds (Bug 36325).
  • Two new UCR variables have been added to configure the behaviour when connecting to unavailable LDAP servers. ucc/ldap/timeout: Time-out for LDAP queries. ucc/ldap/timelimit: Maximum duration of LDAP queries If unset, the default for all variables is ten seconds (Bug 37321).