Q: OD Upgrade: merge backed up user data with new accounts?

Hi All,

After trying many paths to upgrade a 10.6.8 OD server to 10.10 we gave up on export / import of the whole directory. We kept running into the “Existing connection is not authenticated” error caused by some kind of certificate mis-match. Searching for fixes inevitably led to this article which indicates the “rekerberize” method should not be used on Yosemite.

So we punted and installed everything clean from scratch. We think we found a method that restores all users and their home dirs. I’m posting here to see if anyone may critique our method as unsafe. We’ve done some testing but users are not let loose on the new system yet so we aren’t quite 100% certain.

The basic steps we eventually took were:

• Grab export of users from 10.6 server
• Fresh install of OS X 10.10, patch to 10.10.1 (cloned old system first so we can always go back)
• Install Server
• Correctly configure DHCP and DNS and File Sharing
• Create Directory
• Create self signed cert (this was necessary to get 10.6 clients to auth; 10.10 clients work out of the box)
• Edit user export file to fixup change in FQDN: %s/<old_fqdn>/<new_fqdn>/g
• Import users into Directory using the fixed up export file
• Copy user home dirs from 10.6 backup into new file share (the user home dir path matches the fixed up export file)
• chown each user dir to the new user: sudo chown -R <user>:students /Users/<user> (In earlier passes at the upgrade, we also propagated permissions and ACLs from within Server.app at this step. But the fresh install didn’t seem to need this — chown appears to be enough.)
• The Keychain came across with wrong perms and instead of resetting the perms, it made more sense in our case to just delete it: sudo rm -rf /Users/<user>/Library/Keychains

We’ve done a reasonable amount of testing and it looks like all of the user’s files are accessible and working fine. I expect we may find some application data in user home dirs that may have wrong perms (like keychain did) or otherwise be incoherent to the new system. But so far we haven’t found any such issues.

So the crux of this post is: Is it prudent to import user data from another system and expect a simple chown command will make all right with the new system? Or are we glossing over some low-level fundamental (Server File Sharing ACLs?) and creating a time-bomb that will only go off after a week of user data changes at which point any path back out will involve user data loss.

We’re going to start letting some users log on and grab their home dirs in the next day or two. Any and all comments are welcome.

Thank you,

-J