Q: 10.6.8 to Mavericks Server Upgrade loses Open Directory Users
-
Aug 9, 2014 3:05 PMby Grant Bennet-Alder,Linc Davis advice is spot-on, as usual.
There seem to be dozens of sub-databases in the LDAP database. A problem in any of them seems to derail the entire conversion process. I tried a straight conversion and was also disappointed that there were unresolved issues, and it meant that the conversion failed.
So I did the export route using WorkGroup Manager, and exported four sets:
Users
Groups
Computers
Computer groups
go to the appropriate pane (e.g., Users) and Select All, then choose Export, and give it a name (probably with an embedded date in case you need to do it again later)
Then use 10.9 WorkGroup Manager (available as a separate download) to Import.
When re-imported, everything worked just fine (except the passwords, which cannot be carried forward using this method). I did have to manually enable at least one service, such as File Sharing service in Server [admin], or users showed up as "not allowed" [to log in].
--------
This entire process of getting Server 3 to work is fraught with peril, and everything converges on ONE diagnostic, "Network users can't log in". Which means you blew it, but provides no additional information about WHERE you blew it.
There do not appear to be any magic bullets. It is just a tough slog. Users who reported success after failing the first time reported they returned to fundamental principles and did all the steps over, in order, to attain success.
-
Aug 11, 2014 7:40 AMby buckster,Hmmm.. Thanks for the advice.
I have a lot of dependent services (desktop phones, database servers, 3rd party firewall, etc) and really need to keep these passwords.
I looked through the migration logs and this looks to be the problem line:
Aug 8 18:48:35 od.mycompany.com serveradmin[3840]: -[AccountsRequestHandler(AccountsOpenDirectoryHelpers) openLocalLDAPNodeIfNeeded]: dsLocalLDAP = (null), error = Error Domain=com.apple.OpenDirectory Code=2100 "Connection failed to node '/LDAPv3/127.0.0.1'" UserInfo=0x7fc319701b80 {NSLocalizedDescription=Connection failed to node '/LDAPv3/127.0.0.1', NSLocalizedFailureReason=Connection failed to the directory server.}
Can anyone give me a pointer as to what to look at to fix this?
Thanks,
b.
-
Aug 11, 2014 8:10 AMby buckster,FWIW, Open Directory error code 2100 is kODErrorNodeConnectionFailed.
Could this have been a password thing?
I used the System Admin password when opening Server Admin for the first time, rather than the Directory Admin password. Would using the Directory Admin password make a difference?
b.
-
Aug 11, 2014 10:11 AMby Linc Davis,Connection failed to node '/LDAPv3/127.0.0.1'
That's invalid. It should be the IP address of the interface the server listens on. I suggest you restore everything and start over. Make sure the OD master is set up correctly before you attempt to migrate. I never used 10.6 Server so I can't give you specific instructions. There's another forum here for that.
-
Aug 11, 2014 1:26 PMby buckster,Do you appreciate that this server being upgraded is the OD Master?
It's authenticating clients, plus offering Dierctory Services to at least six 3rd party platforms.
I think it has been setup correctly for years without giving us problmes:
• Addressing resolves correctly forward & reverse
• sudo changeip -checkhostname returns "The names match. There is nothing to change."
Not sure what else to check.
b
-
Oct 29, 2014 4:35 PMby buckster,Hi All,
I'm delighted to report this had a happy ending when I used MIgration Assistant in Yosemite.
I was able to upgrade my 10.6.8 Mac Mini to server on 10.10 following the migration instructions here:
OS X Server: Upgrade and migration from Lion Server or Snow Leopard Server
After the migration I did not have an OD entry in the Keychain so I followed these directions:
OS X Server: Steps to take before upgrading or migrating the Open Directory database
After installing Server app from App store I used the OD username and password I created above to proceed with the server setup.
Took less than 5 minutes and my OD users AND PASSWORDS from 10.6.8 are now in 10.10.
Cheers,
b
-
Mar 12, 2015 10:37 AMby jkuzniar,@buckster - I'm running into the same issue here trying to upgrade my v10.6.8 OD Server to 10.9.5 (heck, I'd consider 10.10.2 at this point.) My users' passwords have not made it over in the migration. I have tried both installing Mavericks, then migrating users, and installing Server.app, and cloning the 10.6.8 HD and running Maverics upgrade and the installing Server.app with the same outcome. I tried adding a keychain entry for the OD service as described above. What were the exact steps / order you did things in to get everything (including passwords) to migrate. (Tying to avoid mutant here, lol.) - Thanks
-
Mar 12, 2015 11:33 AMby buckster,Sorry - you're screwed.
See Failed to authenticate & Unable to synchronize login time
You can migrate the passwords but if you have 10.9 or 10.10 clients you will hit a problem because no certificates for clients were created on 10.6 server.
Clients using 10.9 and above requires certificates when authenticating against OD.
After working for several hours with Apple Support I ended up exporting users from 10.6, importing to 10.10 and recreating passwords.
HTH & saves you some time.
b.
-
Mar 12, 2015 12:27 PMby jkuzniar,Hey, thanks for the quick reply on this. How gross. Only thing I'm wondering is, I opened up the full FreeRADIUS install on the 10.6.8 OD server, so I could auth my Wi-Fi users to different APs (other than Airports.) Used Jedda's how to as a guide.
I'm running running EAP-TTLS, so that process adds a server-generated cert to the client the first time they authenticate to the RADIUS server. Wondering if that is enough to cover my tracks regarding client-side certificates? I'm only looking at maybe 60 users so its not the end of the world, but still very annoying as I'll have to track every user down (you are all too familiar it seems.)
