Can I migrate server settings from 10.5 to 10.9
I just got a Mac-mini server running OSX 10.9.3 and Server 3.1.1 and want to migrate share points, users and permissions from an Intel Xserve running OSX Server 10.5.8.
I just got a Mac-mini server running OSX 10.9.3 and Server 3.1.1 and want to migrate share points, users and permissions from an Intel Xserve running OSX Server 10.5.8.
Yes. If you are only moving users, groups, and data from one server to the next, this is relatively easy.
If you want to run the risk of migrating your entire Open Directory domain, you can export it from the 10.5 server and import it into the 10.9 server. This will get everything, including passwords. But the everything also means you will get all the junk from 10.5, including MCX, the separate password server auth authorities, etc.
I tend to go for user attributes and then enforce a new password policy. Most of us were not thinking security and password policy back in the 10.5 days, so rethinking it is a good thing. In this case, use Workgroup Manager to export your users and groups to flat files or use dsexport to do the trick. You can use something like:
dsexport ~/Desktop/exportedUsers /LDAPv3/127.0.0.1 dsRecTypeStandard:Users -e "dsAttrTypeStandard:AuthenticationAuthority" -e "dsAttrTypeStandard:Expire" -e "dsAttrTypeStandard:Change" -e "dsAttrTypeStandard:Password" -e "dsAttrTypeStandard:AltSecurityIdentities" -e "dsAttrTypeStandard:JPEGPhoto" -e "dsAttrTypeStandard:MCXFlags"
This will create a flat file containing user attributes that can then be imported into 10.9. Make sure you remove the root, diradmin, and VPN Key user accounts. This method will not give passwords, but it will trim much of the unwanted attributes. Inspect the file and add more exclusions if you are getting more stuff like MCX.
Alternatively, if you only have a handful of users, you might simply opt to recreate them on the new server. Then recreate your shares and move the data, allowing permissions to be set on the move of the data.
Don't forget DNS. Don't forget to implement a backup. Test. Trust by verify. Plan your access model.
Reid
Apple Consultants Network
Apple Professional Services
Author "Mavericks Server – Foundation Services" :: Exclusively available in Apple's iBooks Store
Yes. If you are only moving users, groups, and data from one server to the next, this is relatively easy.
If you want to run the risk of migrating your entire Open Directory domain, you can export it from the 10.5 server and import it into the 10.9 server. This will get everything, including passwords. But the everything also means you will get all the junk from 10.5, including MCX, the separate password server auth authorities, etc.
I tend to go for user attributes and then enforce a new password policy. Most of us were not thinking security and password policy back in the 10.5 days, so rethinking it is a good thing. In this case, use Workgroup Manager to export your users and groups to flat files or use dsexport to do the trick. You can use something like:
dsexport ~/Desktop/exportedUsers /LDAPv3/127.0.0.1 dsRecTypeStandard:Users -e "dsAttrTypeStandard:AuthenticationAuthority" -e "dsAttrTypeStandard:Expire" -e "dsAttrTypeStandard:Change" -e "dsAttrTypeStandard:Password" -e "dsAttrTypeStandard:AltSecurityIdentities" -e "dsAttrTypeStandard:JPEGPhoto" -e "dsAttrTypeStandard:MCXFlags"
This will create a flat file containing user attributes that can then be imported into 10.9. Make sure you remove the root, diradmin, and VPN Key user accounts. This method will not give passwords, but it will trim much of the unwanted attributes. Inspect the file and add more exclusions if you are getting more stuff like MCX.
Alternatively, if you only have a handful of users, you might simply opt to recreate them on the new server. Then recreate your shares and move the data, allowing permissions to be set on the move of the data.
Don't forget DNS. Don't forget to implement a backup. Test. Trust by verify. Plan your access model.
Reid
Apple Consultants Network
Apple Professional Services
Author "Mavericks Server – Foundation Services" :: Exclusively available in Apple's iBooks Store
Thanks. I don't have but 15 users, so I'm just going to recreate them. Appreciate the note about password security. Now I need to figure out how to lock out certain users to keep them from deleting files/folders from certain share points.
You will need to use the Deny Delete ACL. I've documented this a while ago for another member. See here:
https://discussions.apple.com/thread/5916256
Hope this helps as well.
But beware. Applying deny delete on files can impact the function of applications, especially Photoshop. You can protect the folders but files is much more difficult.
Can I migrate server settings from 10.5 to 10.9