UCS 4.0-2 Release Notes

Release notes for the installation and update of Univention Corporate Server (UCS) 4.0-2


Table of Contents

1. Release highlights
2. Notes on the update
2.1. Recommended update order for environments with more than one UCS server
2.2. Univention App Center
2.3. UCS installation DVDs only available for 64 bit
3. Preparation of update
4. Postprocessing of the update
5. Further notes on selected packages
5.1. Network-based installation of UCS
5.2. Collection of usage statistics
5.3. Scope of security support for WebKit, Konqueror and QtWebKit
5.4. Recommended browsers for the access to Univention Management Console
6. Changelog
6.1. General
6.2. Univention Installer
6.3. Basic system services
6.3.1. Univention Configuration Registry
6.3.2. Boot Loader
6.4. Domain services
6.4.1. OpenLDAP
6.4.1.1. LDAP schema changes
6.5. Univention Management Console
6.5.1. Univention Management Console web interface
6.5.2. Univention Management Console server
6.5.3. Univention App Center
6.5.4. Univention Directory Manager UMC modules and command line interface
6.5.5. Basic settings / Appliance mode
6.5.6. License module
6.5.7. Process overview module
6.5.8. Software update module
6.5.9. Filesystem quota module
6.5.10. Univention Configuration Registry module
6.5.11. Other modules
6.6. Univention base libraries
6.7. System services
6.7.1. Mail services
6.7.2. Spam/virus detection and countermeasures
6.7.3. Printing services
6.7.4. SSL
6.7.5. Proxy services
6.7.6. Apache
6.7.7. PAM / Local group cache
6.8. Virtualization
6.8.1. Univention Virtual Machine Manager (UVMM)
6.9. Container Technologies
6.10. Services for Windows
6.10.1. Samba
6.10.2. Univention AD Takeover
6.10.3. Univention S4 Connector
6.10.4. Univention Active Directory Connection
6.11. Other changes
Bibliography

§Chapter 1. Release highlights

With Univention Corporate Server 4.0-2, the second point release of Univention Corporate Server (UCS) 4.0 is now available. It provides various improvements and bugfixes. An overview of the most important changes:

  • The Free for personal Use licence was replaced by the UCS Core Edition license. This allows the usage of UCS in commercial settings without charge. The upgrade of the licence is described in SDB 1324. Further information on the UCS Core Edition is provided on https://www.univention.com/products/prices/.

  • The container virtualization Docker was added to UCS. This allows to run Docker containers on UCS systems. First Docker images of UCS itself are also available. Further information is provided on http://wiki.univention.de/index.php?title=Docker.

  • For creating Apps a separate tutorial is now available.

  • An App installed on a remote system is now automatically configured by running its join scripts.

  • Several enhancements and bugfixes in design and usability of the Univention Management Console were done.

  • A mode to install UCS systems unattended over the network was added.

  • The compatibility to Active Directory has been improved. This allows Windows 2008 R2 Foundation Servers to join the domain as a member server. In addition to that a problem regarding the resolution of SIDs with NetApp Storage Systems has been fixed.

  • The web server Apache and mail server Postfix now support several additional settings related to encryption and other security related options. In addition to that several old cryptographic algorithms have been disabled by default.

§Chapter 2. Notes on the update

During the update some services in the domain may not be available, i.e. the update should occur in a maintenance window. It is recommended to test the update in a separate test environment prior to the actual update. The test environment should be identical to the production environment. Depending on the system performance, network connection and the installed software the update takes between 20 minutes and several hours.

§2.1. Recommended update order for environments with more than one UCS server

In environments with more than one UCS system, the update order of the UCS systems must be borne in mind:

The authoritative version of the LDAP directory service is maintained on the master domain controller and replicated on all the remaining LDAP servers of the UCS domain. As changes to the LDAP schemes can occur during release updates, the master domain controller must always be the first system to be updated during a release update.

§2.2. Univention App Center

If applications have been installed from the Univention App Center, the update can only be performed once all installed applications are available in a compatible version. Some applications are updated to newer versions during the update. If an application is not yet available for UCS 4.0, the release date can be obtained from the application vendor.

§2.3. UCS installation DVDs only available for 64 bit

Starting with UCS 4.0 UCS, installation DVDs are only provided for the x86 64 bit architecture (amd64). Existing 32 bit UCS 3 systems can still be updated to UCS 4.0 through the online repository or by using update DVDs. The 32 bit architecture will be supported over the entire UCS 4 maintenance.

§Chapter 3. Preparation of update

It must be checked whether sufficient disk space is available. A standard installation requires a minimum of 6 GB of disk space. Depending on the scope of the existing installation, the update will require about another 2 GB of disk space for downloading and installing all packages.

For the update, a login should be performed on the system's local console as user root, and the update should be initiated there. Alternatively, the update can be conducted using Univention Management Console.

Remote updating via SSH is not recommended as this may result in the update procedure being cancelled, e.g., if the network connection is interrupted. In consequence, this can affect the system severely. If updating should occur over a network connection nevertheless, it must be verified that the update continues despite disconnection from the network. This can be done, e.g., using the tools screen and at. These tools are installed on all system roles by default.

§Chapter 4. Postprocessing of the update

Following the update, new or updated join scripts need to be executed. This can be done in two ways: Either using the UMC module Domain join or by running the command univention-run-join-scripts as user root.

Subsequently the UCS system needs to be restarted.

§Chapter 5. Further notes on selected packages

§5.1. Network-based installation of UCS

The profile-based UCS network installation is available with UCS 4.0-2. Further details are described in [ext-doc-inst].

§5.2. Collection of usage statistics

Anonymous usage statistics on the use of Univention Management Console are collected when using the UCS Core Edition version of UCS (which is generally used for evaluating UCS). The modules opened are logged in an instance of the web traffic analysis tool Piwik. This makes it possible for Univention to tailor the development of Univention Management Console better to customer needs and carry out usability improvements.

This logging is only performed when the UCS Core Edition license is used. The license status can be verified via the menu entry License -> License information of the user menu in the upper right corner of Univention Management Console. If UCS Core Edition is listed under License type, this version is in use. When a regular UCS license is used, no usage statistics are collected.

Independent of the license used, the statistics generation can be deactivated by setting the Univention Configuration Registry variable umc/web/piwik to false.

§5.3. Scope of security support for WebKit, Konqueror and QtWebKit

WebKit, Konqueror and QtWebKit are shipped in the maintained branch of the UCS repository, but not covered with security support. WebKit is primarily used for displaying HTML help pages etc. Firefox should be used as web browser.

§5.4. Recommended browsers for the access to Univention Management Console

Univention Management Console uses numerous JavaScript and CSS functions to display the web interface. Cookies need to be permitted in the browser. The following browsers are recommended:

  • Chrome as of version 33

  • Firefox as of version 24

  • Internet Explorer as of version 9

  • Safari and Safari Mobile as of version 7

Users with older browsers may experience display or performance problems.

§Chapter 6. Changelog

Listed are the changes since UCS 4.0-1:

§6.1. General

§6.2. Univention Installer

  • The Univention Net Installer has been adapted to allow profile based installations of UCS-4.0-1 (Bug 35537).

§6.3. Basic system services

§6.3.1. Univention Configuration Registry

  • The file name for temporary files created by UCR commit now start with a dot (.) to hide them by default (Bug 37819).
  • Fixed a race condition in the univention-ldapsearch wrapper, which prevented proper error detection (Bug 37631).

§6.3.2. Boot Loader

  • Fixed a compilation error in the memtest86+ binary which resulted in the memory test 7 Random number sequence to always fail (Bug 37638).

§6.4. Domain services

§6.4.1. OpenLDAP

  • Support for the UCS Core Edition license has been added. Every Free for personal use license can easily be migrated to the UCS Core Edition. Details can be found in the SDB 1324 (Bug 38107).
  • If a password has been changed via Samba 4, the account expiry setting was not always considered. This has been fixed (Bug 38060).

§6.4.1.1. LDAP schema changes

  • The LDAP attribute univentionSamba4pwdProperties (integer) has been added to the sambaDomain object class (Bug 28331).

§6.5. Univention Management Console

§6.5.1. Univention Management Console web interface

  • The version of the Dojo Toolkit has been updated from 1.10.2 to 1.10.4. Support for IE11 in the Dojo module dojo/uacss has been added (Bug 38225).
  • If host name or user name are too long for the menu labels in the header, their length is now trimmed and ... is shown. The positioning of the back to overview header button has been adjusted. The UMC background image has been adjusted. The default search button has been adjusted to be smaller and to only contain an icon instead of text. The UMC header menus have been adjusted in their positioning on small screens and they have been styled with icons. The style of modules and module headers has been slightly adjusted. Pop-up dialogues that need no verification now have a close icon. Notifications must now be closed via a close icon. The label for module buttons is now centred if there is enough space (Bug 37780).
  • An error prevented the execution of stopping virtual machines as well as reporting erroneous UMC behaviour. These can now be executed again (Bug 37892).
  • Changed the cursor to a pointer when hovering grid row actions (Bug 37197).
  • A help icon has been added to the login dialogue (Bug 37804).
  • SVG icon images had under specific circumstances display problems in Internet Explorer 11. For Internet Explorer, the icons are displayed now in the PNG format (Bug 38225).
  • Displaying of the UMC reload dialogue has been adjusted (Bug 37565).
  • The automatic selection of the first item in a list widget (e.g., in the installed system locales in language settings) has been removed (Bug 33199).
  • Methods for resetting UMC modules and renewing a session have been added Bug 37347).
  • Pass the required attribute to sub widgets of the ComplexInput widget (Bug 36539).
  • An animation has been added for opening and hiding modules (Bug 37899).
  • Update references to www.univention.de (Bug 37908).
  • The activation of UCS with a personalized license key as well as the import process of a new license file has been improved w.r.t. the usability (Bug 38132).
  • The UMC grid can now take care of cleaning up orphaned widget references that could lead to a growing memory consumption in the browser (particular in UVMM) (Bug 36615).
  • The Univention management console web server and the upload widgets can now handle uploading several files at once and are capable of drag and drop (Bug 38276).
  • Some label texts in the Services modules have been improved, and icons have been added for the module actions (Bug 36564).

§6.5.2. Univention Management Console server

  • The package python-notifier has been updated to version 0.9.7. This fixes a bug which could cause a UMC server crash in specific circumstances (Bug 37457).
  • A race condition during UMC session shutdown has been fixed, that could lead to a complete shutdown of the UMC server (Bug 37399).
  • Removing and subsequently adding extended attributes could lead to a UMC server crash. The attribute handling in the server has been improved (Bug 37447).
  • User preferences as well as favourite UMC modules could not be saved into the LDAP under specific circumstances. This behaviour has been adjusted (Bug 38222).
  • It is now possible to request a single-sign-on login token for localhost (Bug 37347).
  • The number of parallel and open request in the UMC webserver has been raised and can now be configured via the Univention Configuration Registry variable umc/http/maxthreads (Bug 37851).

§6.5.3. Univention App Center

  • After installing an app, all pending join scripts are called with the credentials of the currently logged-in user (Bug 36822).
  • After installing apps or software packages, UMC modules are now reset, the UMC session is renewed automatically, and a page reload is done only if really necessary (Bug 37347).
  • Add support for WebInterfacePortHTTP and HTTPS in the ini file of an app (Bug 35456).
  • Update references to www.univention.de (Bug 37908).
  • Conflicts between apps are now calculated based on actual installation, not only one of the involved packages (Bug 35661).
  • The process of loading license information from the LDAP has been improved to avoid idle times in UMC (Bug 37616).
  • Apps may now define a minimal UCS version below which the app may not be installed (Bug 38042).
  • Apache may now be restarted by packages during installation via the Package Management module (Bug 38446).

§6.5.4. Univention Directory Manager UMC modules and command line interface

  • Support for the UCS Core Edition license has been added. Every "Free for personal use" license can easily be migrated to the UCS Core Edition. Details can be found in the SDB 1324 (Bug 38103 and Bug 38104).
  • Remove an attribute formerly used by Univention Net Installer from various computer modules (Bug 37560).
  • Fix tracebacks due to incorrect checks whether an object exists (Bug 37119).
  • Creating a simple authentication account is now much faster (Bug 37607).
  • Adjust an error message of the PrinterURI syntax class (Bug 36711).
  • Prevent de-installation of essential packages when creating a slave/master/member-server packages policy (Bug 36539).
  • Replaced the term General by a more descriptive title in various UDM modules (Bug 36401).
  • Improved error message format (Bug 37740).
  • Don't create a pointer record if no forward zone could be determined when modifying a computer object (Bug 37504).
  • Repair --policies option of UDM command line tool (Bug 21585).
  • Added appropriate validation for the mail domain name. To restore the old behaviour it is possible to overwrite the syntax from the CLI: ucr set directory/manager/web/modules/mail/domain/properties/name/syntax='string' (Bug 34552).
  • DVS and support information has been removed from univention-license-check (Bug 38203).
  • Two attributes domainPasswordComplex and domainPasswordStoreCleartext have been added to the sambadomain settings module (Bug 28331).
  • Labels of multi value fields in UDM modules have been adjusted to be more consistent (Bug 32760).
  • The appearance of the search and advanced search button has been adjusted. Shortened the description for the Back to search and Save changes buttons to Back and Save (Bug 37780).
  • The module cache is cleared now with the internal registration mechanism (Bug 37347).
  • A pop-up notification about automatically set default values was displayed for values which were disabled by the selected options. This has been fixed (Bug 37711).
  • Fix format of error message in specific circumstances (Bug 36711).
  • Execute UDM requests again if an LDAP error occurs due to timeout problems (Bug 37740).
  • Policy labels are now correctly displayed with an edit link. Changes on a UDM object can now be saved by pressing 'Return' on the keyboard (Bug 36708).
  • Update a warning icon (Bug 36460).
  • DVS and support information has been removed from the license information dialogue (Bug 38203).

§6.5.5. Basic settings / Appliance mode

  • When joining a system into a domain, the Kerberos password is no longer logged into /var/log/univention/join.log (Bug 37489).
  • Fix the calculation of the CIDR when displaying network interface settings (Bug 37326).
  • The positioning of page icons on small screens has been optimized (Bug 37824).
  • Additional connection and setup information is now shown by displaying the file motd.setup before the system is fully configured (Bug 37129, Bug 38510).
  • Error handling during saving in the system setup modules has been improved (Bug 36843).
  • A warning is displayed during appliance mode when too few memory is available for installing UCS (Bug 36460).
  • The instructions how to access Univention Management Console for the first time has been enhanced (Bug 37804).
  • License agreement information can now be displayed during the setup wizard (Bug 37616).
  • The password description will now be hidden, as well, when the password field is hidden (e.g., during the installation) (Bug 38148).
  • The Univention Configuration Registry variable system/setup/boot/fields/blacklist has been extended to disabling the selection of particular server roles (Bug 38116).
  • A reload of Apache is now disabled during the complete configuration of a UCS appliance. This has been done in order to avoid access problems at the end of the wizard when accessing UMC via HTTPS (Bug 37771).
  • The city search widget has been improved w.r.t. its usability (Bug 37771).
  • The progress bar has been adjusted to reach 100%, its localization has been corrected to match the chosen one, and its output has been improved (Bug 35550).
  • Output written into /var/log/univention/setup.log is now regularly flushed (Bug 38293).
  • Fixed wrong URL for advanced UVMM network setup (Bug 38314).
  • Cleanup scripts will now be executed if setup-join.sh is called from the command line. All output is logged to STDOUT/STDERR (Bug 38332).
  • The setup script 05_role/10role has been speeded up. It creates hard-links instead of copying packages into the dpkg cache (Bug 38393).
  • Improved logging when running setup-join: run-parts now prints filenames (Bug 38332).

§6.5.6. License module

  • Support for the UCS Core Edition license has been added. Every Free for personal use license can easily be migrated to the UCS Core Edition. Details can be found in the SDB 1324 (Bug 38102).

§6.5.7. Process overview module

  • Prevent an error if the user of an process is unknown (Bug 33923).
  • Killing multiple processes at once now works properly (Bug 33193).
  • If a process is being killed that is not running anymore an error message is shown (Bug 25305).

§6.5.8. Software update module

  • Hide the Back button during upgrading the system (Bug 37741).
  • The dialogue showing the list of packages to be updated/installed in the Software update module is now limited in its maximum height. The styling for the updater dialogue has been slightly adjusted (Bug 37573).
  • A default time-out of 10 minutes was added to the updater, after which stalled HTTP connections are aborted (Bug 36044).
  • A confirmation dialogue is now prompted when the browser window is closed or the page is reloaded during an update process (Bug 37033).
  • univention-add-app now prevents the installation of apps on the wrong server role (Bug 32543).
  • A local repository created from the UCS-4.0-1 DVD was incorrectly copied to the location reserved for UCS-4.0-0 (Bug 38248).
  • The Packages files required for profile based installations are now generated locally (Bug 35537).

§6.5.9. Filesystem quota module

  • If the first configured LDAP server was not reachable, timeouts could occur during the login. This has been fixed in the script univention-user-quota (Bug 36805).
  • An error message about an unbound variable has been removed from the script univention-group-quota (Bug 37134).
  • The quota settings are now written to a cache directory by a listener module. The PAM script which sets the quota settings to the share uses this cache directory. This improves the login performance (Bug 36989).

§6.5.10. Univention Configuration Registry module

  • The width of the dialogue for editing Univention Configuration Registry variable has been enlarged (Bug 37742).
  • HTML entities in Univention Configuration Registry variable descriptions are now properly escaped (Bug 38036).

§6.5.11. Other modules

  • The rendering of the list view has been optimized (Bug 36569).

§6.6. Univention base libraries

  • If the first configured LDAP server was not reachable, timeouts could occur during the login. This has been fixed (Bug 36805).

§6.7. System services

§6.7.1. Mail services

  • The Univention Configuration Registry variable descriptions for mail/localmailboxsizelimit and mail/messagesizelimit have been updated as 0 does not implement unlimited as previously mentioned (Bug 38061).
  • Additional arguments for smtpd processes may now be added via Univention Configuration Registry variables. The given arguments are automatically added to the configuration file /etc/postfix/master.cf. The following UCR variable prefixes are currently supported:

    • mail/postfix/mastercf/options/smtp/...
    • mail/postfix/mastercf/options/smtps/...

    (Bug 37442)

  • The first changes to the main.cf framework have been done for defining a custom restriction rule set via Univention Configuration Registry variables for Postfix' smtps port (465). There is currently no change in Postfix behaviour (Bug 38049).
  • Allow Postfix to receive client mails on submission port 587 (Bug 30043).
  • Exclude RC4 Cipher Suites from all TLS security levels (RFC 7465). Adds Univention Configuration Registry variables mail/postfix/tls/client/exclude_ciphers and mail/postfix/smtpd/tls/exclude_ciphers and sets them by default to RC4, aNULL (Bug 38043).
  • Allow to set TLS/SSL settings for server and client. Disables SSLv3 for fresh installs, except for receiving mails. Adds Univention Configuration Registry variables mail/postfix/smtpd/tls/*protocols and mail/postfix/tls/client/*protocols (Bug 38044).
  • Add options to check the mapping of IP addresses to FQDNs to fight spam. Adds Univention Configuration Registry variables mail/postfix/smtpd/restrictions/sender/require_reverse_dns and mail/postfix/smtpd/restrictions/sender/require_forward-confirmed_reverse_dns for weaker and stricter reverse DNS checking respectively (Bug 38292).

§6.7.2. Spam/virus detection and countermeasures

  • Remove references to ahbl.org DNSBL, which has ceased operation (Bug 37471).
  • ClamAV has been updated to version 0.98.6 (Bug 36966).

§6.7.3. Printing services

  • univention-printquota now copies the /etc/machine.secret file for LDAP lookups in the join script (Bug 36861).

§6.7.4. SSL

  • Fixed an endless loop when invalid values for certificates are supplied (Bug 38125).

§6.7.5. Proxy services

  • The web-proxy Squid now also uses the additional LDAP servers configured through the Univention Configuration Registry variable ldap/server/addition (Bug 37752).
  • Network interfaces other then ethX are now also added to the access control list (Bug 36623).
  • The Squid configuration can now be extended with custom ACLs via Univention Configuration Registry variables (Bug 37543).

§6.7.6. Apache

  • Kill and restart the apache process in the init script if a reload crashes the apache process (Bug 37792).
  • The Apache web server did not close all inherited file descriptors by itself, which could lead to other processes being block indefinitely. This behaviour has been corrected (Bug 37952).
  • The UCS overview background image has been adjusted. The style of the UCS overview modules has been adjusted to match the style of the UMC. The display of the modules has been slightly adjusted (Bug 37780).
  • The configuration of the SSL/TLS support in Apache has been improved:

    • If the new UCR variable apache2/ssl/tlsv11 is set to true, Apache only accepts TLS 1.1 and TLS 1.2.
    • If the new UCR variable apache2/ssl/tlsv12 is set to true, Apache only accepts TLS 1.2.
    • SSL compression disabled by default for security reasons, it can be enabled using the UCR variable apache2/ssl/compression.
    • Apache no longer accepts various insecure ciphers and hash algorithms (e.g. RC4, MD5 and the outdated export ciphers) by default. Note that such algorithms would not have been negotiated if the TLS client supports current crypto algorithms. A different set of ciphers can be configured using the new UCR variable apache2/ssl/ciphersuite.
    • If the new UCR variable apache2/ssl/honorcipherorder is set, the server choice of ciphers is used instead of the ciphers preferred by the TLS client.

    Please refer to the Univention Configuration Registry variable descriptions for additional details (Bug 35456).

  • Support for forcing a port in the URL shown in the ucs-overview page has been added. This is done by setting the Univention Configuration Registry variable ucs/web/overview/entries/*/*/port_http and .../port_https (Bug 37566).

§6.7.7. PAM / Local group cache

  • The setup to deny ssh logins on Domaincontrollers has been moved into the join scripts, as those restrictions were not applied in all cases (Bug 37971).

§6.8. Virtualization

§6.8.1. Univention Virtual Machine Manager (UVMM)

  • A memory leak caused by parsing XML documents has been fixed (Bug 36640).
  • Missing translation has been added (Bug 36567).
  • The error message has been made more understandable if the cloud end point returns an error due to a blocked account, incorrect server time or missing Amazon IAM policies to interact with EC2 (Bug 37099).
  • Some unused code has been removed (Bug 36635).
  • A display error of the icon for VNC access in Firefox has been corrected in the UMC module (Bug 36678).
  • An error in the grid of the UMC module resulted in an endless refreshing loop of the grid if no connection was available. This has been adjusted (Bug 38010).
  • Orphaned widget references in the UMC module that would lead to a growing memory consumption in the browser are now cleaned up (Bug 36615).
  • The Debian Installer does no longer set the Univention Configuration Registry variable locale/keymap, which caused the join script to use en-us as default keyboard layout. This has been fixed (Bug 37551).

§6.9. Container Technologies

  • The container technology software docker.io is now available under UCS to pull and run Docker containers (Bug 37642).

§6.10. Services for Windows

§6.10.1. Samba

  • The Windows Server 2008 R2 Foundation member server license check failed in Samba/AD domains (Bug 37687).
  • NetApp filer NAS devices joined to a Samba/AD DC failed to lookup SIDs due to an issue in negotiating strong encryption for server authentication (Bug 37874).
  • If the first configured LDAP server was not reachable, timeouts could occur during the share access on a member server. This has been fixed (Bug 36805).

§6.10.2. Univention AD Takeover

  • This update fixes a traceback which occurred when Active Directory built-in accounts where positioned in an non-default location in the AD LDAP directory (Bug 37596).

§6.10.3. Univention S4 Connector

  • The password expiry attributes are now set in OpenLDAP if the password has been changed in Active Directory/Samba 4 (Bug 36317).
  • Synchronisation of the domain password properties has been added (Bug 28331).

§6.10.4. Univention Active Directory Connection

  • While synchronizing an object from Active Directory to UCS the UCS target object is now checked. If the UCS object should be ignored, the UCS object will not be modified or moved (Bug 37351).

§6.11. Other changes

  • Several packages have been added to the maintained package repository of UCS (Bug 36467).
  • The list of public SSL root certificates has been updated (Bug 37885).
  • An error in a network script terminated the DHCP script responsible for updating the network configuration too early, which lead to RFC 3442 classless routes not being applied (Bug 37689).
  • Limit collection of files by univention-log-collector to the configured base path (Bug 36452).
  • If the first configured LDAP server was not reachable, timeouts could occur during the login. This has been fixed in univention-home-mounter (Bug 36805).

§Bibliography

§

[ext-doc-inst] Univention GmbH. 2014. Extended installation documentation. https://docs.software-univention.de/installation-4.0.html.