HT202538: OS X Server: Upgrade and migration from Lion Server or Snow Leopard Server

Learn about OS X Server: Upgrade and migration from Lion Server or Snow Leopard Server
Santala

Q: 10.6 to 10.9.1 server migration fail

I'm attempting to migrate a 10.6 server to a new Mac Mini with 10.9.1.

 

The problem is, Migration Assistant clearly doesn't even want to transfer everything. For example, based on the size of files to be transferred it's obvious that imap folders will not be transferred. Also, I let the Migration finish once and after that OpenDirectory wouldn't start - or even let me import 10.6 backup.

 

I know this is a bit vague, but what can I say. For the IMAP, the files are in /var/spool/...

Posted on Feb 22, 2014 12:00 PM

Close

Q: 10.6 to 10.9.1 server migration fail

  • All replies
  • Helpful answers

  • by Santala,

    Santala Santala Feb 22, 2014 12:08 PM in response to Santala
    Level 1 (0 points)
    Feb 22, 2014 12:08 PM in response to Santala

    Here's a screenshot of Migration Assistant with >80GB of emails nowhere to be seen:

    http://santala.iki.fi/ma.jpg

  • by UptimeJeff,

    UptimeJeff UptimeJeff Feb 22, 2014 1:34 PM in response to Santala
    Level 4 (3,477 points)
    Feb 22, 2014 1:34 PM in response to Santala

    First.. I wouldn't recommend a 10.6 to 10.9 migration, but putting that aside..

     

    Do your migration withour migrating IMAP.

    Simply rename the mailstore folder or mv all the GUID folders from the mailstore.

     

    If your migration works, users can authenticate, your can administer network users (change their pw, add a user) and all your other services migrated successfully.. then you'll find re-using your 10.6 mailstore is quite simple.. Check your mail settings and sudo chown -R _dovecot:mail /path/to/your/mailstore

     

    The migration assistant is not necessary for your mailstore. The format of the mailstore is identical, only the permission structure changed.

     

    ### Still though

    I'd recommend a clean install and move your service data manually.

     

    Jeff

  • by Santala,

    Santala Santala Feb 22, 2014 9:49 PM in response to UptimeJeff
    Level 1 (0 points)
    Feb 22, 2014 9:49 PM in response to UptimeJeff

    The things is, upgrading from 10.6 is supposed to be completely supported.

     

    What's most troubling is that importing the OpenDirectory contents into 10.9.1 Server which I exported from 10.6 doesn't work. Even if I could transfer mail afterwards, I'd still really like to able to copy my user's accounts.

  • by Santala,

    Santala Santala Feb 22, 2014 10:15 PM in response to Santala
    Level 1 (0 points)
    Feb 22, 2014 10:15 PM in response to Santala

    Importing a backup from 10.6 simply quits when it's done, without errors and turns OpenDirectory back to Off. If you try to turn it back On again, it again gives you the three choices, new, join or import.

  • by UptimeJeff,

    UptimeJeff UptimeJeff Feb 23, 2014 10:01 AM in response to Santala
    Level 4 (3,477 points)
    Feb 23, 2014 10:01 AM in response to Santala

    Its possible to migrate OD.. there are typically many hurdles, but it can be done.

    If PWs must be retained, I generally do separate offline migration of open directory to 10.9 solely, then once its working in 10.9.1 (you can admin users), archive OD and do a clean install, restore OD and migrate service data as needed.

     

    Best bet is to export the users/groups (not archive OD) then import them into 10.9

    You'll lost passwords, but it does work. Reset PWs yourself or let staff do it with the /changepassword page of the websserver.

     

    If you have to retain PWs, then clear alot of time off your schedule - and adjust your expectactions

     

    I assume you are doing all the testing from a clone so the online server isn't interrupted...

     

    Jeff

  • by Santala,

    Santala Santala Feb 23, 2014 10:19 AM in response to UptimeJeff
    Level 1 (0 points)
    Feb 23, 2014 10:19 AM in response to UptimeJeff

    It's just that OD was borken after 10.6 -> 10.9.1 migration as well. Last time I tried to upgrade from 10.6, it did nothing. Just went back to being 10.6.

     

    I wonder, could I add 10.9 as a replica of 10.6 OD and promote to master?

     

    At what point did OD export/import break? Between 10.6 and 10.7, 10.7 and 10.8 or 10.8 and 10.9? Or has it ever worked between major versions?

  • by UptimeJeff,

    UptimeJeff UptimeJeff Feb 23, 2014 5:51 PM in response to Santala
    Level 4 (3,477 points)
    Feb 23, 2014 5:51 PM in response to Santala

    10.9 cant replicate 10.6

     

    We're on different topic now... original post was about mail migration.

     

    There are many challenges in migrating OD from 10.6 to 10.9.

    They've mostly been covered here.

     

    You aren't alone.

    Try your migration. If it doesn't work, search for clues here in the forums.

    Join a thread on the same topic or start a new thread with your specific issues.

     

    If you can leave passwords behind, I strongly recommend you skip migrating OD and save yourself alot of hassle/time. If you must retain passwords, you may want to hire a consultant who's been down this road before.

     

     

    Jeff

  • by Santala,

    Santala Santala Feb 23, 2014 8:37 PM in response to UptimeJeff
    Level 1 (0 points)
    Feb 23, 2014 8:37 PM in response to UptimeJeff

    Yes, I noticed already that the replication won't work. The original topic was 10.6 to 10.9.1 migration, although the first and most obvious problem was mail not being transferred. I did try to migrate. Anyhow, it now seems that it doesn't work at all and doesn't really transfer anything. What's weird is that the document referred in the subject give you the impression that everything should go just fine.

  • by Santala,

    Santala Santala Feb 24, 2014 12:15 PM in response to Santala
    Level 1 (0 points)
    Feb 24, 2014 12:15 PM in response to Santala

    I was able to import user accounts exported from 10.6 using the XML and dsimport:

     

    dsimport export-filename /LDAPv3/127.0.0.1 I --username diradmin

     

    Password were of course lost and need to be reset. Also access to services must be granted.

     

    Also it seems that I am able to copy emails with rsync:

     

    oldserver# rsync -avP /var/spool/imap/dovecot/mail/982D24C7-2533-4B72-A037-98DCA4A4CD39 root@newserver:/Library/Server/Mail/Data/mail/

     

    The copied mail folder needs to be chowned, but after that everyone is happy and emails work ok:

     

    chown -R _dovecot:mail /Library/Server/Mail/Data/mail/982D24C7-2533-4B72-A037-98DCA4A4CD39

  • by TheObstacle,

    TheObstacle TheObstacle Feb 24, 2014 8:25 PM in response to UptimeJeff
    Level 1 (0 points)
    Feb 24, 2014 8:25 PM in response to UptimeJeff

    UptimeJeff: can you give any details on what one has to do to migrate passwords successfully?  I've tried several different things so far without any luck.  I can get accounts, groups, etc. to come through after exporting from Workgroup Manager and importing when creating the OpenDirectory master in Server.app, but authentication on the migrated accounts always fails afterwards.

     

    I've got time and spare machines, and not having to reset all my users' passwords would be a huge win for me.  Any hints would be much appreciated.

     

    Thanks,

    -- monroe

  • by UptimeJeff,

    UptimeJeff UptimeJeff Feb 25, 2014 6:12 AM in response to UptimeJeff
    Level 4 (3,477 points)
    Feb 25, 2014 6:12 AM in response to UptimeJeff

    Not possible to provide all the steps.. There are too many possibilities both with the source and target machine...

    Following Apple's steps is critical

    http://support.apple.com/kb/HT5381?viewlocale=en_US&locale=en_US

    http://support.apple.com/kb/HT5300

     

    At the end, if you end up with your users listed, but you can't administer them (cant reset a pw, add a network user, etc).. Here are a couple fixes that may work, but there are MANY more possibilities.. maybe you'll get lucky with one of these:

     

    As mentioned in

    http://support.apple.com/kb/HT5381?viewlocale=en_US&locale=en_US

    Quit Server app and issue

    sudo touch /var/db/openldap/migration/.rekerberize

    sudo killall PasswordService

    Then relaunch Server app.

     

    If you still can't admin users, then you may need to update auth methods (this has solved it for me in several cases)

     

    sudo /usr/libexec/PlistBuddy -c "add ':module options:ldap:Denied SASL Methods:' string CRAM-MD5" /Library/Preferences/OpenDirectory/Configurations/LDAPv3/yourldapserver.plist
    sudo /usr/libexec/PlistBuddy -c "add ':module options:ldap:Denied SASL Methods:' string NTLM" /Library/Preferences/OpenDirectory/Configurations/LDAPv3/yourldapserver.plist
    sudo /usr/libexec/PlistBuddy -c "add ':module options:ldap:Denied SASL Methods:' string GSSAPI" /Library/Preferences/OpenDirectory/Configurations/LDAPv3/yourldapserver.plist
    

     

    Restart the server

     

     

     

    These are just a couple possibilities.

    If that doesn't help, you need to see where you are after the upgrade. Search logs for errors/clues.

    Look at the migration log, you should see if it gets stuck anywhere.

    Google errors/clues.

     

    Good luck

  • by TheObstacle,

    TheObstacle TheObstacle Feb 25, 2014 12:56 PM in response to UptimeJeff
    Level 1 (0 points)
    Feb 25, 2014 12:56 PM in response to UptimeJeff

    Thanks for the pointers!  I've been following Apple's instructions from your first two links, and I've tried the rekerberize thing a couple of times.

     

    I just tried creating the OpenDirectory master from my archive again, and during creation I see a line like this in the logs for each user (with GUIDs matching an identifier in each user's AuthenticationAuthority):

     

    mkpassdb[43611] <Error>: -[AuthDBFile getPasswordRec:putItHere:unObfuscate:]: no entries found for 4ab053f0-6b8b-4567-0000-000200000002

     

    It looks like it's failing to extract the passwords from the OpenDirectory archive, which I'm guessing is probably at least part of the issue.

     

    After the import, I see errors like this whenever I try to authenticate an imported user:

     

    opendirectoryd[43287] <Notice>: GSSAPI Error:  Miscellaneous failure (see text (Server (ldap/host.domain.com@REALM.DOMAIN.COM) unknown while looking up 'ldap/host.domain.com@REALM.DOMAIN.COM' (cached result, timeout in 1200 sec))

     

    I've also tried turning off kerberos on the original OD master before creating the archive, and in that case I see roughly the same behavior, but in that case the error is looking up 'ldap/host.domain.com@HOST.DOMAIN.COM' instead (presumably because it didn't drag over the old Kerberos realm but instead created a fresh one).

     

    Also, when I restore the archive created with kerberos enabled and try the .rekerberize thing, my PasswordService process crashes repeatedly (the logs show launchd repeatedly trying to start it and throttling respawn) until I remove the .rekerberize file.  The PasswordServer error log shows this for each crash:

     

    Requested SASL mechanism not loaded: SMB-LAN-MANAGER

  • by TheObstacle,

    TheObstacle TheObstacle Oct 23, 2014 5:03 PM in response to TheObstacle
    Level 1 (0 points)
    Oct 23, 2014 5:03 PM in response to TheObstacle

    Update: I never did get this to work with 10.9.x, but I just tried again with a clean 10.10.0 install (using Migration Assistant manually after installing the new Server app), and it successfully imported my Open Directory users, complete with passwords!  I don't know if this is something that was specifically fixed in Yosemite, or if it was just a matter of the planets aligning when I tried it this time, but either way I'm delighted to be past this problem.

     

    There was one thing that didn't import properly: I have a number of user accounts that were "disabled" before the migration, but after the import all accounts were showing as enabled (i.e. "Allow user to log in" was checked for everyone), so I had to manually go through and disable the right ones manually.  Somewhat tedious, but much better than making ~200 users all reset their passwords, so I'll take it.