UCS 3.2-1 Release Notes

Release notes for the installation and update of Univention Corporate Server (UCS) 3.2-1


Table of Contents

1. Release highlights
2. Recommended update order for environments with more than one UCS server
3. Preparation of update
4. Postprocessing of the update
4.1. Operating a local repository server / pre-up/ post-up scripts
5. Further notes on selected packages
5.1. Collection of usage statistics when using the free-for-personal-use version
5.2. UEFI installation DVD
5.3. Scope of security support for Webkit, Konqueror und QtWebKit
5.4. Recommeded browsers for the access to the Univention Management Console
5.5. Restrictions in Samba 4 operation
5.6. Installation in VirtualBox
5.7. Installation in Citrix XenServer
5.8. Migration of a Samba 3 environment to Samba 4
5.9. Xen
6. Changelog
6.1. General
6.2. Univention Installer
6.3. Basic system services
6.3.1. Linux kernel and firmware packages
6.3.2. Univention Configuration Registry
6.3.2.1. Changes to templates and modules
6.4. Domain services
6.4.1. OpenLDAP
6.4.1.1. LDAP ACL changes
6.4.1.2. LDAP schema changes
6.4.1.3. Listener/Notifier domain replication
6.5. Univention Management Console
6.5.1. Univention Management Console web interface
6.5.2. Univention Management Console server
6.5.3. Univention App Center
6.5.4. Basic settings / Appliance mode
6.5.5. Users module
6.5.6. License module
6.5.7. Domain join module
6.5.8. Online update module
6.5.9. Shares module
6.5.10. Policies
6.5.11. Printers module
6.5.12. Univention Configuration Registry module
6.5.13. LDAP directory browser
6.5.14. Other modules
6.5.15. Univention Directory Manager command line interface and related tools
6.5.16. Development of modules for Univention Management Console
6.6. Software deployment
6.6.1. Software deployment command line tools
6.7. Univention Library
6.8. System services
6.8.1. Spam/virus detection and countermeasures
6.8.2. Printing services
6.8.3. Nagios
6.8.4. SSL
6.8.5. PAM / Local group cache
6.8.6. Other services
6.9. Virtualisation
6.9.1. Univention Virtual Machine Manager
6.9.2. Xen
6.10. Services for Windows
6.10.1. Samba NT domain support
6.10.2. Samba AD domain support
6.10.3. Univention AD Takeover
6.10.4. Univention S4 Connector
6.10.5. Univention Active Directory Connector
6.11. Other changes
Bibliography

Chapter 1. Release highlights

With Univention Corporate Server 3.2-1, the first point release for Univention Corporate Server (UCS) is now available. It includes all errata updates issued for UCS 3.2-0:

  • The Linux kernel package was updated to 3.10.26. Besides many bugfixes this also improves the hardware support.

  • The Univention App Center was extended: Beside several bugfixes new interfaces are provided which improve the integration of third party applications.

  • Univention AD Takeover - the UCS solution for the automatic migration of an Active Directory domain to UCS - was improved further; it now also support the migration of AD domains operated in languages other than English or German.

  • Multiple usability enhancement in the Univention Management Console.

Chapter 2. Recommended update order for environments with more than one UCS server

In environments with more than one UCS system, the update order of the UCS systems must be borne in mind:

The authoritative version of the LDAP directory service is maintained on the master domain controller and replicated on all the remaining LDAP servers of the UCS domain. As changes to the LDAP schemes can occur during release updates, the master domain controller must always be the first system to be updated during a release update.

It is generally advisable to update all UCS systems in one maintenance window whenever possible.

Chapter 3. Preparation of update

It must be checked whether sufficient disk space is available. A standard installation requires a minimum of 6 GB of memory. Depending on the scope of the existing installation, the update will require at least another 1 GB of memory for the downloading and installation of the packages.

For the update, a login should be performed on the console with the root user and then the update started there. Alternatively, the update can be initiated using the Univention Management Console.

Remote updating via SSH is not recommended as this may result in the update procedure being cancelled if the network connection is interrupted, for example, and this can affect the system. If updating should occur over a network connection nevertheless, it must be verified that the update continues despite disconnection from the network. This can be done, for example, using the tools screen and at, which are installed on all system roles.

Chapter 4. Postprocessing of the update

Following the update, new or updated join scripts need to be executed. This can be done in two ways: Either using the UMC module Domain join or by running the command univention-run-join-scripts as the user root.

Subsequently the UCS system should be restarted.

4.1. Operating a local repository server / pre-up/ post-up scriptsFeedback

Pre-up and postup scripts are scripts which are run before and after release updates (e.g., for post-processing the update, for example by uninstalling obsolete packages). As of UCS 3.2, these scripts are cryptographically signed to prevent unauthorized modification. During the update and when mirroring the repository these signatures are checked. If they're invalid or missing, the action is aborted.

If a repository server is operated with UCS 3.1-x, it should be updated to UCS 3.2 before additional systems can be updated to UCS 3.2-1.

If it is not possible to update the repository server, the signature files must be downloaded manually:

LOCAL_DIR="/var/lib//univention-repository/mirror"
SERVER="http://updates.software-univention.de"
for release in 3.2-0 3.2-1; do
	for script in preup postup; do
		file="3.2/maintained/$release/all/$script.sh.gpg"
		wget -O "$LOCAL_DIR/$file" "$SERVER/$file"
	done
done

Alternatively, it is also possible to disable the signature checks, which can be a security risk. For the repository server this can be done by setting the Univention Configuration Registry variable repository/mirror/verify to false. For the update the Univention Configuration Registry variable repository/online/verify must be set to false on all systems.

Chapter 5. Further notes on selected packages

5.1. Collection of usage statistics when using the free-for-personal-use versionFeedback

Anonymous usage statistics on the use of the Univention Management Console are collected when using the free for personal use version of UCS (which is generally used for evaluating UCS). The modules opened are logged in an instance of the web traffic analysis tool Piwik. This makes it possible for Univention to tailor the development of the Univention Management Console better to customer needs and carry out usability improvements.

This logging is only performed when the free-for-personal-use license is used. The license status can be verified by clicking on the cog symbol in the top righthand corner of the Univention Management Console and selecting License information. If Free for personal use edition is listed under LDAP base, this version is in use. When a regular UCS license is used, no usage statistics are collected.

Indendepent of the licence used, the statistics generation can be deactivated by setting the Univention Configuration Registry variable umc/web/piwik to false.

5.2. UEFI installation DVDFeedback

In addition to the standard installation DVD there is also a medium with support for the Unified Extensible Firmware Interface standard (UEFI) available for the amd64 architecture.

It must be used instead of the standard DVD on systems which only support a UEFI boot.

5.3. Scope of security support for Webkit, Konqueror und QtWebKitFeedback

Webkit, Konqueror and QtWebkit are shipped in the maintained branch of the UCS repository, but not covered with security support. Webkit is primarily used for displaying HTML help pages etc. Firefox should be used as the web browser.

5.4. Recommeded browsers for the access to the Univention Management ConsoleFeedback

Univention Management Console uses numerous Javascript and CSS functions to display the web interface. Cookies need to be permitted in the browser. The following browsers are recommended:

  • Chrome as of version 14

  • Firefox as of version 10

  • Internet Explorer as of version 9

  • Safari (on the iPad 2)

Users with older browsers may experience display or performance problems.

5.5. Restrictions in Samba 4 operationFeedback

Some Active Directory functions are currently not available in Samba 4:

  • Microsoft Windows domain controllers must not be joined in a Samba 4 domain currently.

  • Selective replication is not possible with Samba 4 as this is not supported by Active Directory in principle (in UCS@school selective replication is implemented through the listener/notifier replication mechanism).

  • Samba 4 does not currently support forest domains.

  • Samba 4 does not currently support trust relationships.

Further information can be found in Chapter 8 of the [ucs-handbuch].

5.6. Installation in VirtualBoxFeedback

During the installation of UCS in the virtualization solution VirtualBox, a VirtualBox bug may appear which has been corrected in version 4.2: if UCS has been successfully installed and the DVD is still in the disk drive, the installation DVD offers the option Boot from first harddisk partition. If you select this option, VirtualBox freezes.

For Linux distributions which still use Virtualbox 4.0 or 4.1, either the installation DVD should be removed from the drive settings of the VirtualBox VM or F12 pressed when starting the virtual instance and the hard drive selected as a boot partition as a workaround before starting the UCS VM. UCS will then start successfully.

5.7. Installation in Citrix XenServerFeedback

When UCS is installed in the virtualization solution Citrix XenServer 6.0 - 6.2, the Grub menu of the Univention installer is not shown with the Cirrus graphics card emulated as standard. The Univention Installer can be started directly by pressing the ENTER key; alternatively, the installation starts automatically after sixty seconds. The Univention Installer which then starts is displayed as normal.

To display Grub correctly, the graphics card emulated by XenServer can be reconfigured. This is done by logging on to the XenServer system as the root user. Firstly, the xe vm-list command is used to determine the UUID of the virtual machine. The following command is then used to reconfigure the emulated graphics card to VGA:

xe vm-param-set uuid=UUIDVM platform:vga=std

5.8. Migration of a Samba 3 environment to Samba 4Feedback

There are two basic procedures for migrating Samba 3 to Samba 4:

  • Setup of a parallel Samba 4 domain. Both domains use different NetBIOS names and SIDs. The clients then join the Samba 4 step by step.

  • Migration of all systems within one maintenance window.

Both procedures are documented in detail in the Univention Wiki: http://wiki.univention.de/index.php?title=Migration_from_Samba_3_to_Samba_4.

5.9. XenFeedback

If the Xen hypervisor is used and the memory limit for the Dom0 has been configured using the Univention Configuration Registry-Variable grub/xenhopt, the value should be updated to include the ,max: part as well. See the http://wiki.univention.de/index.php?title=UVMM_Quickstart-3.1/en#Configuring_the_Dom0 for details.

Chapter 6. Changelog

Listed are the changes since UCS 3.2-0:

6.1. GeneralFeedback

  • All security updates issued for UCS 3.2-0 are included.

6.2. Univention InstallerFeedback

  • Enforce UTF-8 encoding when setting the locale (Bug 33916).
  • The self-tests at the end of the UCS installation have been updated (Bug 34133).

6.3. Basic system servicesFeedback

6.3.1. Linux kernel and firmware packagesFeedback

6.3.2. Univention Configuration RegistryFeedback

  • Univention Configuration Registry now commits the files to a temporary file first and renames the files in a second atomic step. This prevents writing of incomplete files (Bug 32415).

6.3.2.1. Changes to templates and modulesFeedback

  • The default limit for max open files in /etc/security/limits.conf has been increased to 32768. This value can be changed by setting the Univention Configuration Registry variables security/limits/default/user/soft/nofile and security/limits/default/user/hard/nofile (Bug 32415).

6.4. Domain servicesFeedback

6.4.1. OpenLDAPFeedback

  • univention-ldapsearch now accepts the command line options --binddn, --bindpwd and --bindpwdfile for authentication.
  • The LDAP indices are now generated for all combinations of LDAP search types configured via UCR ldap/index/ (Bug 33430).

6.4.1.1. LDAP ACL changesFeedback

  • The LDAP ACLs now support the configuration of default group names via the new UCR variable family groups/default/* (Bug 33645).
  • The LDAP ACLs now support the configuration of a custom Administrator name via the new UCR variable family users/default/*. These variables are managed automatically by a Univention Directory Listener module and should usually not be adjusted manually (Bug 33890).

6.4.1.2. LDAP schema changesFeedback

  • New schema extension for MS WMI filters (Bug 33961).
  • The local schema inclusion code now detects extensions included by template subfiles (Bug 33962).

6.4.1.3. Listener/Notifier domain replicationFeedback

  • The LDAP replication handling for modrdn has been improved which avoids the duplication of LDAP objects when moving objects (Bug 33495).
  • The reliability of the Univention Directory Listener replication handling has been improved (Bug 33732).

6.5. Univention Management ConsoleFeedback

6.5.1. Univention Management Console web interfaceFeedback

  • After cancelling the creation of an LDAP object it was sometimes impossible to open another existing object (Bug 33244).
  • If the initial search attribute for a UMC module is configured and its value was not any searchable attribute, this caused LDAP errors. Now the module falls back to search for Default properties (Bug 33556).
  • Requests to outdated files (such as images, HTML files, JavaScript source files) are now redirected in order to avoid problems in the representation (Bug 29588).
  • The rendering of the Activate UCS dialogue in Internet Explorer 9 and 10 has been fixed (Bug 33133).
  • The links in the overview page are now generated in the join script. This ensures that host and domain identifiers match the current settings in case of a rejoin and after completing the appliance setup (Bug 33447).
  • The display of the progress bar has been fixed in some cases (Bug 32649).
  • Only the last 1800 lines of very long tracebacks are now sent. Previously the first 1800 lines were shown, which could truncate important information (Bug 33798).
  • The MultiSelect widget has been fixed. Setting its values too early could sometimes disturb the rendering of the page (Bug 33703).
  • Entries and available languages on the UCS overview page aren't cached anymore (Bug 33130).
  • Fixed rendering errors in the host drop-down menu on various web browsers (Bug 32655).
  • Support UMC modules that may be opened only once at the same time (Bug 31855).
  • Fix the translation of some error messages if Univention Corporate Client was installed (Bug 33850).

6.5.2. Univention Management Console serverFeedback

  • The error handling of UMC modules has been improved. Feedback is sent to the client when the initializing of a module fails (Bug 33673).
  • The robustness of the UMC message parser has been improved: The UCS@school computer-room module could trigger a crash when responding with an empty message body (Bug 33622).

6.5.3. Univention App CenterFeedback

  • If a component is blocking a release update and this component part of the App Center, link to the app instead of showing a cryptic error message (Bug 33484, Bug 33721).
  • Fixed sending installation notifications to Univention although the app did not require it (Bug 33362).
  • univention-add-app now works through proxies (Bug 33542). Fixed an error in the usage information of the option --latest (Bug 31410).
  • When updating from UCS 3.1, apps from UCS 3.1 were re-registered by mistake. This has been corrected (Bug 33535).
  • The join script now fails if one of the apps could not be registered (Bug 33341).
  • If an application could not be registered an error message is now displayed after the installation. The registration is re-attempted whenever the Univention App Center is opened (Bug 33573).
  • Applications can now provide information on the organisation providing support for the app (Bug 33958).
  • Renamed Website to More information (Bug 31344).
  • Support to declare an "end of life" for an application: An application marked as such is hidden for users which don't have the application already installed. For those who have this application installed uninstallation is suggested (Bug 33946).
  • Applications extending the LDAP schema added repositories on master domain controller and backup domain controller systems to install the corresponding software package. This might cause problems when upgrading UCS as these repositories were never removed automatically. This will be done from now on. "Stale" repositories already registered are also removed (Bug 33947).
  • When performing an update of an application a hint is shown saying that all packages will be upgraded. If this is not intended one would have to go to the repository settings tab. This tab is not present when updating the application via its dedicated UMC module. Now the text contains a link and it opens the App Center if it was not already open and switches to the repository tab (Bug 34028).
  • When querying during a release update of UCS, the target version should be used to find all applications. This is now done by reading from the updater.status file (Bug 33548).
  • The join script failed when the App Center server could not be reached while registering all installed apps. This causes problems during the installation of UCS. Now the join script does not fail anymore, it just silently skips this point. The script univention-register-apps has been added that may be re-run if this was only a temporary problem (Bug 34096).

6.5.4. Basic settings / Appliance modeFeedback

  • Adding multiple IP addresses to one network interface has been fixed (Bug 33258).
  • The summary of the network interface changes is now more detailed (Bug 32996).
  • Multiple IP addresses belonging to the same sub-network are now correctly registered in LDAP (Bug 33407).
  • The German translation of Next has been changed to Weiter (Bug 33976).
  • The init script urandom is deactivated until the appliance mode is finished. This avoids having the same random seed in templates. Also recreate SSH and SSL keys during boot if the files are missing (Bug 30034).
  • The query whether Firefox should become the default browser is now disabled (Bug 33592). Also hide the tar bar (Bug 33640).
  • A warning about an FQDN with less then two dots was shown twice (Bug 33437).
  • Add directories for cleanup -pre and -post hooks. Added a Univention Directory Notifier and Univention Directory Listener restart script to be executed after appliance setup cleanup (Bug 33729).
  • Add appliance hook script which removes a forced setting for the Univention Configuration Registry variable update/available (Bug 33762).
  • Restart Amavis at the end of appliance mode (Bug 33765).

6.5.5. Users moduleFeedback

  • A user without a mail home server was sometimes assigned a mail home server when modifying other attributes (Bug 33329).

6.5.6. License moduleFeedback

  • Display a correct error message if a user tries to import an invalid license (Bug 30156).

6.5.7. Domain join moduleFeedback

  • The execution of join scripts is now prevented while software is being installed or uninstalled (Bug 33793).

6.5.8. Online update moduleFeedback

  • Fixed the error handling in case the UMC server is restarted during an update (Bug 33443).
  • The updater now uses the individual user agent string for more HTTP requests (Bug 33553).

6.5.9. Shares moduleFeedback

  • The inherit ACL option for Samba shares can be enabled again (Bug 33772).

6.5.10. PoliciesFeedback

  • Certain policies did not display a link to directly edit them when opening the Policies tab of LDAP objects (Bug 33004).
  • Boolean attributes of policies are rendered as check boxes. If these attributes were not defined, the check box was shown as ticked. This has been changed to unticked (Bug 32845).
  • The encoding of UCR policies changed so that values can also contain umlauts. In the Univention Management Console module display a human-readable error message if policy names contain invalid characters (Bug 33704).

6.5.11. Printers moduleFeedback

  • The protocol of a printer URI in the printers UMC module was always set to cups-pdf://. This has been corrected (Bug 33383).

6.5.12. Univention Configuration Registry moduleFeedback

6.5.13. LDAP directory browserFeedback

  • Deleting a container from the LDAP tree failed when this container was selected (Bug 33343).
  • A typo in the German translation has been fixed (Bug 33554).
  • Moving objects now also supports mixed-case scenarios. This is relevant when moving organizational units or containers in Samba 4/Active Directory (Bug 33482).

6.5.14. Other modulesFeedback

  • After adding a new standard container the container was not immediately selectable as a position for new objects (Bug 33651).

6.5.15. Univention Directory Manager command line interface and related toolsFeedback

  • Fixed setting and displaying sambaLogonHours (Bug 33703).

6.5.16. Development of modules for Univention Management ConsoleFeedback

  • Add support for properties that offer empty values while the frontend chooses the first non-empty one if a new object is to be created (Bug 33329).
  • Improved the branding support in Univention Management Console widgets (Bug 33493).

6.6. Software deploymentFeedback

6.6.1. Software deployment command line toolsFeedback

  • The Cron job for updating UCS releases did not evaluate whether the release policy was activated. This has been fixed (Bug 33189).
  • univention-upgrade is now called in non-interactive mode when invoked from the maintenance policy (Bug 33194).

6.7. Univention LibraryFeedback

  • Adjusted the behaviour of the function ucs_registerLDAPExtension to let join scripts continue in case an LDAP extension could not be registered because a newer one is already active in the domain (Bug 33582).
  • Support for group name mapping has been added. The new function custom_groupname maps the default group names to the actual name (Bug 33649).
  • Support for user name mapping has been added. The new function custom_username maps the default user names to the actual name (Bug 33710).
  • A new Python library s4 has been added for Samba-related operations (Bug 33893).

6.8. System servicesFeedback

6.8.1. Spam/virus detection and countermeasuresFeedback

  • A misleading status message printed during the update of virus signature definitions in Freshclam has been removed (Bug 33683).

6.8.2. Printing servicesFeedback

  • The password rotation script in univention-printquota was fixed (Bug 33791).

6.8.3. NagiosFeedback

  • Shell quoting has been fixed in the join scripts 28univention-nagios-server.inst and 30univention-nagios-client.inst (Bug 33593).
  • Support for the customisation of standard user and group names has been added (Bug 33646).

6.8.4. SSLFeedback

  • The permissions of the directory /etc/univention/ssl/ and the files contained in it where mangled on certificate renewal via the UMC module Basic settings. New certificates created using univention-certificate new were created with incorrect permissions. This update fixes these issues, making sure that the group DC Backup Hosts has access to the certificates (Bug 31941).

6.8.5. PAM / Local group cacheFeedback

  • univention-pam now checks the mapping of user and group names in the UCR templates (Bug 33710, Bug 33650).

6.8.6. Other servicesFeedback

  • NTP servers reachable from the internet that respond to the "monlist" query can be used to facilitate distributed denial of service attacks (CVE-2013-5211). This update adds the UCR variable ntp/noquery which can be set to true to disable most queries including the "monlist" function and thus mitigates this issue. The regular time service of NTP will continue to serve time updates independent of the value of the variable. After setting the variable the NTP service needs to be restarted in the "System services" module of the Univention Management Console or with the command /etc/init.d/ntp restart. It is recommended to set this variable on UCS systems that exposes the NTP service to the internet. On installations with UCS 3.2-1 the variable is automatically set (Bug 33834).

6.9. VirtualisationFeedback

6.9.1. Univention Virtual Machine ManagerFeedback

  • The noVNC service (used to provide browser-based VNC access to virtual machines) is now served on TCP port 6080. This fixes HTTPS connection problems with newer Firefox browsers (Bug 33587).
  • A VNC connection initiated from UCS Virtual Machine Manager can now be used immediately after the start of the virtual machine (Bug 33166).
  • The automatic check script now restarts UVMMd in case the daemon is no longer responding to the cyclic liveness check (Bug 33741).
  • UVMM now uses the internal libvirt event loop implementation. This fixes a problem with accumulating open file handles, which lead to performance problems in large environments (Bug 33458).
  • The title of noVNC tabs/windows now includes the name of the virtual machine and the name of the host (Bug 33164).

6.9.2. XenFeedback

  • A race condition was fixed, where the first domain sometimes failed to start (Bug 20481).

6.10. Services for WindowsFeedback

6.10.1. Samba NT domain supportFeedback

  • A bug in the configuration file parsing of the Winbind daemon caused trust relations to Windows Active Directory domains to fail. If the new Univention Configuration Registry variable samba/winbind/rpc/only is set to yes trusts relations to Microsoft Windows AD domains are possible again (Bug 33303).
  • A bug in the handling of the Univention Configuration Registry variables samba/global/options/* was fixed (Bug 28722).

6.10.2. Samba AD domain supportFeedback

  • Windows 8 clients were not able to print to Samba print servers if client-side printer drivers were used (Bug 33197).
  • Samba could not be started on hosts with only IPv6 interfaces. This has been fixed by deactivating WINS support on IPv6 hosts (Bug 33250).
  • The script create_spn_account.sh failed in case the generated random password started with a dash. This has been fixed (Bug 32938).
  • Multiple Logrotate configurations for Samba log files could lead to warning messages via Cron. These redundant configurations were removed (Bug 33529).
  • ldapsearch-wrapper has been added to univention-ldapsearch calls in Samba setup scripts to prevent line wrapping of LDAP search results (Bug 33583).
  • Joining an additional Samba domain controller could overwrite changes made to the default domain group policy object and the domain controller group policy object. This issue has been fixed (Bug 3388).

6.10.3. Univention AD TakeoverFeedback

  • The handling of DNS timeouts has been improved (Bug 31731).
  • A problem in the handling of non-English user and group names was fixed. If the well known users and groups in AD are found to be non-English during takeover, the corresponding objects will be renamed in UCS to match (Bug 33644).

6.10.4. Univention S4 ConnectorFeedback

  • The synchronisation mode is now configurable through UCR for every connector property (such as users, groups, containers, etc.) (Bug 33711).
  • Added support for synchronisation of MS WMI filters (disabled by default) (Bug 33936).
  • The internal connector status database is now removed when re-joining the system (Bug 33940).

6.10.5. Univention Active Directory ConnectorFeedback

  • A note on Univention AD Takeover is now displayed the UMC module for the Univention AD Connector (Bug 33657).

6.11. Other changesFeedback

  • The new Univention Directory Listener module well-known-sid-name-mapping.py implements a mechanism for domain-wide customisation of account names for well known Windows/Samba SIDs. It sets the Univention Configuration Registry variables groups/default/* and users/default/* in case accounts with well known SIDs are renamed (Bug 33897).
  • kdegraphics was updated: A mime type configuration for okular was removed that could cause firefox to hang when accessing the UMC in a local session (Bug 34125).

Bibliography

[ucs-handbuch] Univention GmbH. 2013. Univention Corporate Server - Manual for users and administrators. http://docs.univention.de/manual-3.2.html.