HT202538: OS X Server: Upgrade and migration from Lion Server or Snow Leopard Server
Learn about OS X Server: Upgrade and migration from Lion Server or Snow Leopard Server
-
All replies
-
Helpful answers
-
Feb 22, 2014 12:08 PM in response to Santalaby Santala,Here's a screenshot of Migration Assistant with >80GB of emails nowhere to be seen:
-
Feb 22, 2014 1:34 PM in response to Santalaby UptimeJeff,First.. I wouldn't recommend a 10.6 to 10.9 migration, but putting that aside..
Do your migration withour migrating IMAP.
Simply rename the mailstore folder or mv all the GUID folders from the mailstore.
If your migration works, users can authenticate, your can administer network users (change their pw, add a user) and all your other services migrated successfully.. then you'll find re-using your 10.6 mailstore is quite simple.. Check your mail settings and sudo chown -R _dovecot:mail /path/to/your/mailstore
The migration assistant is not necessary for your mailstore. The format of the mailstore is identical, only the permission structure changed.
### Still though
I'd recommend a clean install and move your service data manually.
Jeff
-
Feb 22, 2014 9:49 PM in response to UptimeJeffby Santala,The things is, upgrading from 10.6 is supposed to be completely supported.
What's most troubling is that importing the OpenDirectory contents into 10.9.1 Server which I exported from 10.6 doesn't work. Even if I could transfer mail afterwards, I'd still really like to able to copy my user's accounts.
-
Feb 22, 2014 10:15 PM in response to Santalaby Santala,Importing a backup from 10.6 simply quits when it's done, without errors and turns OpenDirectory back to Off. If you try to turn it back On again, it again gives you the three choices, new, join or import.
-
Feb 23, 2014 10:01 AM in response to Santalaby UptimeJeff,Its possible to migrate OD.. there are typically many hurdles, but it can be done.
If PWs must be retained, I generally do separate offline migration of open directory to 10.9 solely, then once its working in 10.9.1 (you can admin users), archive OD and do a clean install, restore OD and migrate service data as needed.
Best bet is to export the users/groups (not archive OD) then import them into 10.9
You'll lost passwords, but it does work. Reset PWs yourself or let staff do it with the /changepassword page of the websserver.
If you have to retain PWs, then clear alot of time off your schedule - and adjust your expectactions
I assume you are doing all the testing from a clone so the online server isn't interrupted...
Jeff
-
Feb 23, 2014 10:19 AM in response to UptimeJeffby Santala,It's just that OD was borken after 10.6 -> 10.9.1 migration as well. Last time I tried to upgrade from 10.6, it did nothing. Just went back to being 10.6.
I wonder, could I add 10.9 as a replica of 10.6 OD and promote to master?
At what point did OD export/import break? Between 10.6 and 10.7, 10.7 and 10.8 or 10.8 and 10.9? Or has it ever worked between major versions?
-
Feb 23, 2014 5:51 PM in response to Santalaby UptimeJeff,10.9 cant replicate 10.6
We're on different topic now... original post was about mail migration.
There are many challenges in migrating OD from 10.6 to 10.9.
They've mostly been covered here.
You aren't alone.
Try your migration. If it doesn't work, search for clues here in the forums.
Join a thread on the same topic or start a new thread with your specific issues.
If you can leave passwords behind, I strongly recommend you skip migrating OD and save yourself alot of hassle/time. If you must retain passwords, you may want to hire a consultant who's been down this road before.
Jeff
-
Feb 23, 2014 8:37 PM in response to UptimeJeffby Santala,Yes, I noticed already that the replication won't work. The original topic was 10.6 to 10.9.1 migration, although the first and most obvious problem was mail not being transferred. I did try to migrate. Anyhow, it now seems that it doesn't work at all and doesn't really transfer anything. What's weird is that the document referred in the subject give you the impression that everything should go just fine.
-
Feb 24, 2014 12:15 PM in response to Santalaby Santala,I was able to import user accounts exported from 10.6 using the XML and dsimport:
dsimport export-filename /LDAPv3/127.0.0.1 I --username diradmin
Password were of course lost and need to be reset. Also access to services must be granted.
Also it seems that I am able to copy emails with rsync:
oldserver# rsync -avP /var/spool/imap/dovecot/mail/982D24C7-2533-4B72-A037-98DCA4A4CD39 root@newserver:/Library/Server/Mail/Data/mail/
The copied mail folder needs to be chowned, but after that everyone is happy and emails work ok:
chown -R _dovecot:mail /Library/Server/Mail/Data/mail/982D24C7-2533-4B72-A037-98DCA4A4CD39
-
Feb 24, 2014 8:25 PM in response to UptimeJeffby TheObstacle,UptimeJeff: can you give any details on what one has to do to migrate passwords successfully? I've tried several different things so far without any luck. I can get accounts, groups, etc. to come through after exporting from Workgroup Manager and importing when creating the OpenDirectory master in Server.app, but authentication on the migrated accounts always fails afterwards.
I've got time and spare machines, and not having to reset all my users' passwords would be a huge win for me. Any hints would be much appreciated.
Thanks,
-- monroe
-
Feb 25, 2014 6:12 AM in response to UptimeJeffby UptimeJeff,Not possible to provide all the steps.. There are too many possibilities both with the source and target machine...
Following Apple's steps is critical
http://support.apple.com/kb/HT5381?viewlocale=en_US&locale=en_US
http://support.apple.com/kb/HT5300
At the end, if you end up with your users listed, but you can't administer them (cant reset a pw, add a network user, etc).. Here are a couple fixes that may work, but there are MANY more possibilities.. maybe you'll get lucky with one of these:
As mentioned in
http://support.apple.com/kb/HT5381?viewlocale=en_US&locale=en_US
Quit Server app and issue
sudo touch /var/db/openldap/migration/.rekerberize
sudo killall PasswordService
Then relaunch Server app.
If you still can't admin users, then you may need to update auth methods (this has solved it for me in several cases)
sudo /usr/libexec/PlistBuddy -c "add ':module options:ldap:Denied SASL Methods:' string CRAM-MD5" /Library/Preferences/OpenDirectory/Configurations/LDAPv3/yourldapserver.plist sudo /usr/libexec/PlistBuddy -c "add ':module options:ldap:Denied SASL Methods:' string NTLM" /Library/Preferences/OpenDirectory/Configurations/LDAPv3/yourldapserver.plist sudo /usr/libexec/PlistBuddy -c "add ':module options:ldap:Denied SASL Methods:' string GSSAPI" /Library/Preferences/OpenDirectory/Configurations/LDAPv3/yourldapserver.plist
Restart the server
These are just a couple possibilities.
If that doesn't help, you need to see where you are after the upgrade. Search logs for errors/clues.
Look at the migration log, you should see if it gets stuck anywhere.
Google errors/clues.
Good luck
-
Feb 25, 2014 12:56 PM in response to UptimeJeffby TheObstacle,Thanks for the pointers! I've been following Apple's instructions from your first two links, and I've tried the rekerberize thing a couple of times.
I just tried creating the OpenDirectory master from my archive again, and during creation I see a line like this in the logs for each user (with GUIDs matching an identifier in each user's AuthenticationAuthority):
mkpassdb[43611] <Error>: -[AuthDBFile getPasswordRec:putItHere:unObfuscate:]: no entries found for 4ab053f0-6b8b-4567-0000-000200000002
It looks like it's failing to extract the passwords from the OpenDirectory archive, which I'm guessing is probably at least part of the issue.
After the import, I see errors like this whenever I try to authenticate an imported user:
opendirectoryd[43287] <Notice>: GSSAPI Error: Miscellaneous failure (see text (Server (ldap/host.domain.com@REALM.DOMAIN.COM) unknown while looking up 'ldap/host.domain.com@REALM.DOMAIN.COM' (cached result, timeout in 1200 sec))
I've also tried turning off kerberos on the original OD master before creating the archive, and in that case I see roughly the same behavior, but in that case the error is looking up 'ldap/host.domain.com@HOST.DOMAIN.COM' instead (presumably because it didn't drag over the old Kerberos realm but instead created a fresh one).
Also, when I restore the archive created with kerberos enabled and try the .rekerberize thing, my PasswordService process crashes repeatedly (the logs show launchd repeatedly trying to start it and throttling respawn) until I remove the .rekerberize file. The PasswordServer error log shows this for each crash:
Requested SASL mechanism not loaded: SMB-LAN-MANAGER
-
Oct 23, 2014 5:03 PM in response to TheObstacleby TheObstacle,Update: I never did get this to work with 10.9.x, but I just tried again with a clean 10.10.0 install (using Migration Assistant manually after installing the new Server app), and it successfully imported my Open Directory users, complete with passwords! I don't know if this is something that was specifically fixed in Yosemite, or if it was just a matter of the planets aligning when I tried it this time, but either way I'm delighted to be past this problem.
There was one thing that didn't import properly: I have a number of user accounts that were "disabled" before the migration, but after the import all accounts were showing as enabled (i.e. "Allow user to log in" was checked for everyone), so I had to manually go through and disable the right ones manually. Somewhat tedious, but much better than making ~200 users all reset their passwords, so I'll take it.