Stacy Wynn
Level 1 (5 points)

Q: Can I migrate server settings from 10.5 to 10.9

I just got a Mac-mini server running OSX 10.9.3 and Server 3.1.1 and want to migrate share points, users and permissions from an Intel Xserve running OSX Server 10.5.8.

Posted on Jul 11, 2014 11:31 AM

by Strontium90,Solvedanswer
Strontium90 Strontium90
Level 5 (4,087 points)
Servers Enterprise
A:

Yes.  If you are only moving users, groups, and data from one server to the next, this is relatively easy.

 

If you want to run the risk of migrating your entire Open Directory domain, you can export it from the 10.5 server and import it into the 10.9 server.  This will get everything, including passwords.  But the everything also means you will get all the junk from 10.5, including MCX, the separate password server auth authorities, etc.

 

I tend to go for user attributes and then enforce a new password policy.  Most of us were not thinking security and password policy back in the 10.5 days, so rethinking it is a good thing.  In this case, use Workgroup Manager to export your users and groups to flat files or use dsexport to do the trick.  You can use something like:

 

dsexport ~/Desktop/exportedUsers /LDAPv3/127.0.0.1 dsRecTypeStandard:Users -e "dsAttrTypeStandard:AuthenticationAuthority" -e "dsAttrTypeStandard:Expire" -e "dsAttrTypeStandard:Change" -e "dsAttrTypeStandard:Password" -e "dsAttrTypeStandard:AltSecurityIdentities" -e "dsAttrTypeStandard:JPEGPhoto" -e "dsAttrTypeStandard:MCXFlags"

 

This will create a flat file containing user attributes that can then be imported into 10.9.  Make sure you remove the root, diradmin, and VPN Key user accounts.  This method will not give passwords, but it will trim much of the unwanted attributes.  Inspect the file and add more exclusions if you are getting more stuff like MCX.

 

Alternatively, if you only have a handful of users, you might simply opt to recreate them on the new server.  Then recreate your shares and move the data, allowing permissions to be set on the move of the data.

 

Don't forget DNS.  Don't forget to implement a backup.  Test.  Trust by verify.  Plan your access model.

 

Reid

Apple Consultants Network

Apple Professional Services

Author "Mavericks Server – Foundation Services" :: Exclusively available in Apple's iBooks Store

Posted on Jul 15, 2014 4:37 AM

Close
Stacy Wynn

Q: Can I migrate server settings from 10.5 to 10.9

  • All replies
  • Helpful answers

  • by Strontium90,Solvedanswer

    Strontium90 Strontium90 Jul 15, 2014 4:37 AM in response to Stacy Wynn
    Level 5 (4,087 points)
    Servers Enterprise
    Jul 15, 2014 4:37 AM in response to Stacy Wynn

    Yes.  If you are only moving users, groups, and data from one server to the next, this is relatively easy.

     

    If you want to run the risk of migrating your entire Open Directory domain, you can export it from the 10.5 server and import it into the 10.9 server.  This will get everything, including passwords.  But the everything also means you will get all the junk from 10.5, including MCX, the separate password server auth authorities, etc.

     

    I tend to go for user attributes and then enforce a new password policy.  Most of us were not thinking security and password policy back in the 10.5 days, so rethinking it is a good thing.  In this case, use Workgroup Manager to export your users and groups to flat files or use dsexport to do the trick.  You can use something like:

     

    dsexport ~/Desktop/exportedUsers /LDAPv3/127.0.0.1 dsRecTypeStandard:Users -e "dsAttrTypeStandard:AuthenticationAuthority" -e "dsAttrTypeStandard:Expire" -e "dsAttrTypeStandard:Change" -e "dsAttrTypeStandard:Password" -e "dsAttrTypeStandard:AltSecurityIdentities" -e "dsAttrTypeStandard:JPEGPhoto" -e "dsAttrTypeStandard:MCXFlags"

     

    This will create a flat file containing user attributes that can then be imported into 10.9.  Make sure you remove the root, diradmin, and VPN Key user accounts.  This method will not give passwords, but it will trim much of the unwanted attributes.  Inspect the file and add more exclusions if you are getting more stuff like MCX.

     

    Alternatively, if you only have a handful of users, you might simply opt to recreate them on the new server.  Then recreate your shares and move the data, allowing permissions to be set on the move of the data.

     

    Don't forget DNS.  Don't forget to implement a backup.  Test.  Trust by verify.  Plan your access model.

     

    Reid

    Apple Consultants Network

    Apple Professional Services

    Author "Mavericks Server – Foundation Services" :: Exclusively available in Apple's iBooks Store

  • by Stacy Wynn,

    Stacy Wynn Stacy Wynn Jul 15, 2014 5:03 AM in response to Strontium90
    Level 1 (5 points)
    Jul 15, 2014 5:03 AM in response to Strontium90

    Thanks. I don't have but 15 users, so I'm just going to recreate them. Appreciate the note about password security. Now I need to figure out how to lock out certain users to keep them from deleting files/folders from certain share points.

  • by Strontium90,

    Strontium90 Strontium90 Jul 15, 2014 5:36 AM in response to Stacy Wynn
    Level 5 (4,087 points)
    Servers Enterprise
    Jul 15, 2014 5:36 AM in response to Stacy Wynn

    You will need to use the Deny Delete ACL.  I've documented this a while ago for another member.  See here:

     

    https://discussions.apple.com/thread/5916256

     

    Hope this helps as well.

     

    But beware.  Applying deny delete on files can impact the function of applications, especially Photoshop.  You can protect the folders but files is much more difficult.