Linux企业级发行:Univention Corporate Server 4.0-3 发布

xwfw 9年前

Univention Corporate Server是一份企业级发行,它基于Debian GNU/Linux。其特色在于一份面向服务器集中式管理的集成管理系统,兼容微软Active Directory的域服务,以及面向虚拟服务器和桌面操作系统并行操作的功能。

Download: UCS_4.0-3-amd64.iso (2,200MB, MD5, pkglist).

Chapter 1. Release highlights

With Univention Corporate Server 4.0-3, the third point release of Univention Corporate Server (UCS) 4.0 is now available. It provides various improvements and bugfixes. An overview of the most important changes:

  • The mail server Dovecot has been integrated as standard IMAP/POP3 server into UCS and offers an alternative to the still available Cyrus IMAP server. More information is available in this blog article.

  • The compatibility to Active Directory has been improved with the Samba update to 4.2.3. This includes, among others, improvements in the DRS replication and the printer driver handling. In addition, the join of Huawai storage systems in the Active Directory domain provided by UCS is now also possible.

  • Several enhancements in design and usability of the Univention Management Console have been implemented. For example, it is now possible to use the forward and back buttons of the web browser. This allows a simpler and faster navigation in the management interface.

  • LDAP filters can now be defined for LDAP policies. That means the LDAP policy applies only to the objects that match the LDAP filter. This makes it possible to use LDAP policies in an easy and generic way especially in large environments.

  • The Linux kernel has been updated to the latest stable version of the 3.16 longterm kernel. This includes several security updates as well as new and updated drivers for a better hardware support.

  • All security updates released for UCS 4.0-2 are included in this update. It is now also possible to redirect all HTTP requests to HTTPS by only setting an Univention Configuration Registry variable. This increases the security of the UCS system.

Chapter 2. Notes on the update

</div> </div>

During the update some services in the domain may not be available, i.e. the update should occur in a maintenance window. It is recommended to test the update in a separate test environment prior to the actual update. The test environment should be identical to the production environment. Depending on the system performance, network connection and the installed software the update takes between 20 minutes and several hours.

2.1. Recommended update order for environments with more than one UCS server

</div> </div>

In environments with more than one UCS system, the update order of the UCS systems must be borne in mind:

The authoritative version of the LDAP directory service is maintained on the master domain controller and replicated on all the remaining LDAP servers of the UCS domain. As changes to the LDAP schemes can occur during release updates, the master domain controller must always be the first system to be updated during a release update.

</div>

2.2. UCS installation DVDs only available for 64 bit

</div> </div>

Starting with UCS 4.0 UCS, installation DVDs are only provided for the x86 64 bit architecture (amd64). Existing 32 bit UCS 3 systems can still be updated to UCS 4.0 through the online repository or by using update DVDs. The 32 bit architecture will be supported over the entire UCS 4 maintenance.

</div> </div>

Chapter 3. Preparation of update

</div> </div>

It must be checked whether sufficient disk space is available. A standard installation requires a minimum of 6 GB of disk space. Depending on the scope of the existing installation, the update will require about another 2 GB of disk space for downloading and installing all packages.

For the update, a login should be performed on the system's local console as user root, and the update should be initiated there. Alternatively, the update can be conducted using Univention Management Console.

Remote updating via SSH is not recommended as this may result in the update procedure being cancelled, e.g., if the network connection is interrupted. In consequence, this can affect the system severely. If updating should occur over a network connection nevertheless, it must be verified that the update continues despite disconnection from the network. This can be done, e.g., using the tools screen and at. These tools are installed on all system roles by default.

</div>

Chapter 4. Postprocessing of the update

</div> </div>

Following the update, new or updated join scripts need to be executed. This can be done in two ways: Either using the UMC module Domain join or by running the command univention-run-join-scripts as user root.

Subsequently the UCS system needs to be restarted.

</div>

Chapter 5. Further notes on selected packages

</div> </div>

5.1. Network-based installation of UCS

</div> </div>

The profile-based UCS network installation is available with UCS 4.0-2. Further details are described in [ext-doc-inst].

</div>

5.2. Collection of usage statistics

</div> </div>

Anonymous usage statistics on the use of Univention Management Console are collected when using the UCS Core Edition version of UCS (which is generally used for evaluating UCS). The modules opened are logged in an instance of the web traffic analysis tool Piwik. This makes it possible for Univention to tailor the development of Univention Management Console better to customer needs and carry out usability improvements.

This logging is only performed when the UCS Core Edition license is used. The license status can be verified via the menu entry License -> License information of the user menu in the upper right corner of Univention Management Console. If UCS Core Edition is listed under License type, this version is in use. When a regular UCS license is used, no usage statistics are collected.

Independent of the license used, the statistics generation can be deactivated by setting the Univention Configuration Registry variable umc/web/piwik to false.

</div>

5.3. Scope of security support for WebKit, Konqueror and QtWebKit

</div> </div>

WebKit, Konqueror and QtWebKit are shipped in the maintained branch of the UCS repository, but not covered with security support. WebKit is primarily used for displaying HTML help pages etc. Firefox should be used as web browser.

</div> <div class="chapter" title="Chapter 5. Further notes on selected="selected" packages">

5.4. Recommended browsers for the access to Univention Management Console

</div> </div>

Univention Management Console uses numerous JavaScript and CSS functions to display the web interface. Cookies need to be permitted in the browser. The following browsers are recommended:

  • Chrome as of version 33

  • Firefox as of version 24

  • Internet Explorer as of version 9

  • Safari and Safari Mobile as of version 7

Users with older browsers may experience display or performance problems.

</div> </div>

Chapter 6. Changelog

</div> </div>

Listed are the changes since UCS 4.0-2:

6.1. General

</div> </div>
  • All security updates issued for UCS 4.0-2 are included:

    </li> </ul> </div> </div>

    6.2. Basic system services

    </div> </div>

    6.2.1. Linux kernel and firmware packages

    </div> </div>
    • The Linux kernel has been updated to 3.16.7-ckt11. It provides many bugfixes and fixes several vulnerabilities (Bug 37385).
    </div>

    6.2.2. Univention Configuration Registry

    </div> </div>
    • The UCR variable ipv6/gateway now supports a zone index (Bug 35694).
    • Multiple IPv6 addresses from the same subnet can now be added to an interface (Bug 33986).
    • The handling of the 'prefix' for secondary IPv6 addresses has been corrected (Bug 33986).
    </div>

    6.2.3. Boot Loader

    </div> </div>
    • The title for the entry of UCS in the GRUB boot menu can be configured through the Univention Configuration Registry variable grub/title (Bug 38779).
    </div> </div>

    6.3. Domain services

    </div> </div>

    6.3.1. OpenLDAP

    </div> </div>
    • The diversion of the msgpo.schema file introduced as a fix for Bug 38488 has been removed again (Bug 38566).
    • The description for the UCR variable ldap/server/addition has been improved (Bug 38094).
    • The UCR variable ldap/server/addition is used to configure additional LDAP servers in case the primary LDAP server is unavailable. The setting can be configured through a UMC policy 'LDAP server'. Previously the so configured value was written into the NORMAL layer of the Univention Configuration Registry, which overwrote any setting configured by the user. The value is now written into the LDAP layer, which has a higher priority than the NORMAL layer and thus overrules any local configuration, but preserves the user configured setting. The value can still be overwritten locally by using the FORCED layer of UCR, e.g. ucr set --force ldap/server/addition=.... Setting the UCR variable through a UMC policy 'Univention Configuration Registry' is not recommended and will clash with the 'LDAP server' policy (Bug 38094).
    • Adds UCR variables ldap/tls/ciphersuite and ldap/tls/minprotocol to configure the allowed ciphers and the minimum requires TLS version. By default 'RC4', 'NULL' and 'SSLv3' are now disabled (Bug 38685).
    • Enables Forward Secrecy by default, which can be configured further through several new UCR variables starting with ldap/tls/dh/... (Bug 38685).

    6.3.1.1. LDAP schema changes

    </div> </div>
    • The attribute ldapFilter has been added to the schema for univentionPolicy objects (Bug 36255).
    </div>

    6.3.1.2. Listener/Notifier domain replication

    </div> </div>
    • LDAP entries using non-ASCII-characters in their DN are now handled more correctly in case of case differences (Bug 35334).
    • A confusing error message was removed (Bug 32819).
    • The Listener is now restarted asynchronously when the network interfaces are reconfigured (Bug 36532).
    • The Notifier is now restarted asynchronously when the network interfaces are reconfigured (Bug 36532).
    </div>

    6.3.1.3. DNS server

    </div> </div>
    • The configuration files and scripts have been optimized to allow a faster restart when the network interfaces are re-configured (Bug 36532).
    </div> </div> </div>

    6.4. Univention Management Console

    </div> </div>

    6.4.1. Univention Management Console web interface

    </div> </div>
    • The "clear input" and "view password" icons are now displayed correctly in the login dialogue with Internet Explorer 10 and above (Bug 38127).
    • It is now possible to create a core dump of the UMC web-server (Bug 37280).
    • A check for free disk space is now only done once per file upload request (Bug 38335).
    • The place holders in the login dialogue are now displayed correctly in Internet Explorer 9 (Bug 38127).
    • Scrolling in the App Center on mobile devices is now more responsive (Bug 38050).
    • A missing pre dependency to python-univention-management-console has been added (Bug 38617).
    • The query string parameters are now passed to automatically started UMC modules (Bug 38544).
    • The handling of the UMC overview page on mobile devices has been improved (Bug 38658).
    • A race condition in the UMC webserver has been fixed which could lead to failing starts of the UMC webserver (Bug 37844).
    • The PID file is no longer created world-writable (Bug 38825).
    • Behaviour and appearance of tooltips has been changed. Tooltips will no longer automatically pop up and need to be opened manually by clicking the tooltip icon (Bug 36771).
    • The module header in UMC modules now sticks smoothly to the top when scrolling down (Bug 38491).
    • The browser next/back buttons have been integrated into UMC in order to simplify its navigation (Bug 20714).
    • The styling of hovered entries on the UMC overview page has been adapted for mobile devices (Bug 38658).
    • New icons for tooltips have been added and the style for tooltips has been adapted (Bug 36771).
    • Added a transition when a UMC module header reaches the top of the screen (Bug 38491).
    • The size of the UMC installer header was too big. This issue has been fixed (Bug 39105).
    • The UMC user wizard was not always terminated after creating a user. This issue has been fixed (Bug 39109).
    </div>

    6.4.2. Univention Management Console server

    </div> </div>
    • The UMC server does not crash anymore during request processing (Bug 37366).
    • Errors due to a not running LDAP server are now handled by the UMC server process (Bug 36794).
    • It is now possible to create a core dump of the UMC server and UMC module processes (Bug 37280).
    • The username is not treated case sensitive anymore when changing an expired password in the UMC login (Bug 38826).
    • Code for error handling has been moved into the UMC core server (Bug 36794).
    • A parameter to open a specific object immediately on opening a module has been added (Bug 38544).
    • If multiple policies of the same type are referenced UMC prevents removing policy references when saving the object (Bug 36256).
    </div>

    6.4.3. Univention App Center

    </div> </div>
    • If the initialization of the App Center module fails, an error message is shown (Bug 33627).
    • Display error message if contacting the LDAP server fails (Bug 36794).
    • The error messages when contacting the App Center server or the UCS activation fails have been improved (Bug 35678).
    • Errors when opening APT Packages files are now handled (Bug 38112).
    • Errors when the system has too few free disk space are now handled (Bug 38129).
    • Error messages which are raised from the package manager are now displayed instead of displaying a traceback (Bug 37230).
    • The wording for app maintainer has been adjusted to app provider (Bug 37591).
    • The startup performance of the App Center has been improved (Bug 38345).
    • Fixed an exception in error handling (Bug 38926).
    • The display of buttons for installing, updating etc. have been improved (Bug 39042).
    • Added functionality for univention-upgrade to upgrade apps (Bug 38697).
    • Ini files may now specify how the app is to be included in the app reporting tool (Bug 38954).
    </div>

    6.4.4. Univention Directory Manager UMC modules and command line interface

    </div> </div>
    • Attributes of the UCR policy are now sorted (Bug 32146).
    • Broken UDM handler modules are ignored when updating module list (Bug 38297).
    • An exception when handling LDAP exceptions is prevented now (Bug 38616).
    • The attribute ldapFilter has been added to policy UDM modules (Bug 36255).
    • The UDM module policies/mailquota has been moved to the package univention-mail-cyrus. From now on the module will only be available if the UCS domain contains an UCS system with installed Cyrus mail stack (Bug 38473).
    • A default user template for new users can be configured by the UCR variable directory/manager/web/modules/users/user/add/default. The variable expects the DN or the label of a user template (Bug 38832).
    • The evaluation of requiredObjectClass, prohibitedObjectClasses, fixedAttributes and emptyAttributes is now case insensitive (Bug 38663).
    </div>

    6.4.5. Basic settings / Appliance mode

    </div> </div>
    • Extended the list of default language settings to include Switzerland, Austria and the United Kingdom (Bug 38512).
    • Show server address in Univention System Setup welcome screen in EC2 and other cloud environments (Bug 38391).
    • Uppercase hostnames and hostnames beginning with a digit are now possible (Bug 37816)
    • The package univention-welcome-screen has been added. It shows an informative screen which indicates how the system can be accessed via a web browser (Bug 37537).
    • Fixed an error which could occur while installing UCS with non-default locales via the text based installer, resulting in an unconfigured system (Bug 38382).
    • Changed the wording in the Univention System Setup to suit Univention App Appliances (Bug 38780 Bug 38781)
    • The new package univention-system-activation has been released. It registers a web service to enforce the upload of an activated license key prior to accessing the management web interface (Bug 38547 Bug 38782 Bug 38850).
    • Proxy settings were accidentally removed when changing network settings (Bug 38593).
    • The network mask is not overwritten in the initial UCS configuration anymore if if was set manually (Bug 38593).
    • A typo in the German translation has been corrected (Bug 38215).
    • If accessible, the name server specified via DHCP is pre-configured on the network settings page (Bug 38330).
    • The links on the last page of the setup wizard have been adjusted (Bug 38850).
    • A non authoritative DNS answer is now correctly handled during validation of settings (Bug 38522).
    • A information is shown during domain setup that the process might take a while (Bug 38833).
    • The NetBIOS domain name of the Active Directory domain is used when the UCS system joins into an Active Directory domain (Bug 37460).
    • The DHCP configuration of a system led to problems with the browser redirection at the end of the setup wizard. This has been corrected (Bug 39048)
    • The network settings module can now also be executed on unjoined systems (Bug 39044).
    • The wording on the activation page has been improved (Bug 39019).
    • The loading animation is now visible in Firefox (Bug 38918).
    </div>

    6.4.6. Users module

    </div> </div>
    • The default user template for new users can be configured via the UCR variable directory/manager/web/modules/users/user/add/default. The variable expects the DN or the label of a user template (Bug 38832).
    • The "contact" tab of the users module has a "country" entry now (Bug 18512).
    </div>

    6.4.7. Computers module

    </div> </div>
    • Renaming of Domaincontroller or Memberserver computers is prevented now (Bug 38364).
    </div>

    6.4.8. License module

    </div> </div>
    • Errors while requesting a new license are now handled (Bug 35614).
    • If too many user accounts for the license have been created, the UMC now provides information about how to re-enable editing (Bug 38836).
    • User accounts can now be disabled if the license count is exceeded (Bug 38835).
    </div>

    6.4.9. Shares module

    </div> </div>
    • The Shares module has been moved into the "Domain" category (Bug 38202).
    </div> </div>

    6.5. Software deployment

    </div> </div>

    6.5.1. Software deployment command line tools

    </div> </div>
    • The update scripts have been adjusted to UCS 4.0-3 (Bug 38961).
    </div> </div>

    6.6. Univention base libraries

    </div> </div>
    • Two new internal functions for UCS license checks have been added to the package univention-lib (Bug 38951).
    • If the initialization of the package manager failed it is retried (Bug 38951).
    • Held packages can't cause a traceback anymore (Bug 38951).
    • Error messages when opening APT Packages files have improved (Bug 38951).
    • Error messages when the system has too few free disk space have improved (Bug 38951).
    • The Python implementation of univention-policy-result did not evaluate the attributes requiredObjectClass and prohibitedObjectClasses. This has been fixed (Bug 38663).
    • The Python implementation of univention-policy-result did not return the most specific policy in all cases. This has been fixed (Bug 38712).
    </div>

    6.7. System services

    </div> </div>

    6.7.1. Mail services

    </div> </div>
    • This update provides the new package univention-mail-dovecot which integrates the IMAP/POP3 server dovecot into the UCS mail stack (Bug 34839 Bug 38884).
    • dovecot has been updated to version 2.2.13. The update provides several bugfixes and enhancements (Bug 34839 Bug 38475).
    • The UCR variable mail/cyrus/auth/allowplaintext to (dis)allow plain text passwords over non-TLS connections has been added. The variable defaults to no. This changes the previous default behaviour! Plain text authentication over unencrypted connections is now disabled by default. To revert to the old behaviour set mail/cyrus/auth/allowplaintext=yes resp. mail/dovecot/auth/allowplaintext=yes (Bug 38500).
    • The UDM module policies/mailquota has been moved to the package univention-mail-cyrus. The UDM module will only be available if the UCS mail stack with Cyrus is installed (Bug 38473 Bug 39004).
    • Postfix will no longer resolve address mappings (e.g. BCC) before handing them over to AMaViS for content scanning if an archive folder has been defined (Bug 14619 Bug 38884).
    • To configure the max. number of concurrent AMaViS processes, a new UCR variable has been introduced: mail/antivir/max_servers. When unset, the current default 2 is used (Bug 37653).
    • Add options to check IP FQDN mapping as a means to fight spam. Adds two new UCR variables: mail/postfix/smtpd/restrictions/sender/reject_unknown_client_hostname and mail/postfix/smtpd/restrictions/sender/reject_unknown_reverse_client_hostname for weaker and stricter reverse DNS checking respectively (Bug 38292).
    • The package sieve-connect has been updated to version 0.87-1 and provides several bugfixes and new security features (Bug 34839).
    </div>

    6.7.2. Printing services

    </div> </div>
    • The old printer model list is no longer deleted during the join (Bug 38117).
    </div>

    6.7.3. Nagios

    </div> </div>
    • The check_univention_ldap plugin has been modified to use the FQDN of the LDAP server (Bug 27043).
    </div>

    6.7.4. DHCP server

    </div> </div>
    • A broken configuration was generated for named DHCP host entries. This issue has been fixed (Bug 38675).
    • The DHCP policies are now linked directly to the first created DHCP subnet instead of the LDAP base (Bug 38584).
    • The default DHCP policies are only used for the first created DHCP subnet (Bug 37614)
    • The default routing policy is only updated for the first created DHCP subnet (Bug 38822).
    </div>

    6.7.5. Apache

    </div> </div>
    • The Univention Configuration Registry variable apache2/force_https can be used to force using encryption by re-directing to HTTPS (Bug 38016).
    </div>

    6.7.6. Kerberos server

    </div> </div>
    • Huawei Unified Storage System S5500 V3 failed to join Samba AD domains. The Heimdal Kerberos server has been improved to allow the join (Bug 38827).
    </div> </div>

    6.8. Virtualization

    </div> </div>

    6.8.1. Univention Virtual Machine Manager (UVMM)

    </div> </div>
    • The VirtIO drivers for Windows have been updated to version 0.1.105 to fix a problem with broken driver signatures in Windows 2012 server (Bug 38655).
    </div> </div>

    6.9. Services for Windows

    </div> </div>

    6.9.1. Samba

    </div> </div>
    • Samba has been upgraded to version 4.2.3 (Bug 37939).
    • The list of groups in the Kerberos PAC_LOGON_INFO now also contains the RID of primary group, this fixes GPO security filtering for primary group membership (Bug 37101).
    • Huawei Unified Storage System S5500 V3 failed to join Samba AD domains (Bug 38827).
    • A coding error in the Samba implementation of the BACKUPKEY serverwrap protocol may cause problems with retrieving saved passwords on Windows clients (DPAPI). This issue has been fixed (Bug 39025).
    • This update adds support for the default profile directory paths of Windows 8, 8.1 and 10. For new users they will now be created automatically on first logon (Bug 38643).
    • The ldb library and tools have been upgraded to version 1.1.20 (Bug 37939).
    • The talloc library has been upgraded to version 2.1.2 (Bug 37939).
    • The tdb library and tools have been upgraded to version 1.3.6 (Bug 37939).
    • The tevent library has been upgraded to version 0.9.25 (Bug 37939).
    • The package univention-ldb-modules has been rebuilt to match the new Samba version 4.2.3 (Bug 37939).
    </div>

    6.9.2. Univention S4 Connector

    </div> </div>
    • The user synchronization failed if the username contains special characters like an apostrophe. This issue has been fixed (Bug 38614).
    • The Samba 4/Active Directory lockout attributes are now reset while synchronizing the password from UCS to Samba 4 (Bug 38557).
    • Some GPO and WMI attributes have not been treated as single-value. This issue has been fixed (Bug 37259).
    • Some scripts have been optimized to allow a faster restart when the network interfaces are re-configured (Bug 36532).
    • The synchronization of objects with umlauts has been improved, for example for nested groups (Bug 38645).
    • A bug concerning renaming computer objects has been fixed (Bug 37709).
    • Ignore unknown Samba4 DNS objects instead of creating a dns/host_record (Bug 39077).
    </div>

    6.9.3. Univention Active Directory Connection

    </div> </div>
    • A bug in the network device detection has been fixed (Bug 39069).
    • Fix time synchronization to German UCS (Bug 38729).
    • Wrong links that lead to an old manual have been adjusted (Bug 38147).
    </div> </div>

    6.10. Other changes

    </div> </div>
    • The following packages have been added to the maintained package repository (Bug 37972, Bug 38628):

      • altermime
      • libboost-thread1.49.0
      • libjansson4
      • php-mdb2-driver-mysql
      • php-net-ldap2
      • php-net-url2
      • ripole
      • smarty3
      • nodejs
      • npm
      • libv8-3.14.5
      </li>
    • The time zone database was updated to include information about the scheduled leap second at the end of June 2015 (Bug 38717).
    • The package clucene-core has been updated to version 2.3.3.4 (Bug 34839).
    • </ul> </div>