I have a two machines with users and groups that I want to migrate to
my new Xserve running 10.4 Server.
Machine 1:
Mac OS X Server 10.3
Users/Groups in LDAP
Machine 2:
Mac OS X 10.3 (not server)
Users/Groups in NetInfo
If that's not a big enough hassle, I have some users that exist on
both machines, so some cleanup will have to occur one way or another.
Also, I would REALLY like to preserve passwords from both, but if I
can't... so be it.
I tried Option 1, but since my master is 10.3, I can't make a 10.4
server a replica.
Option 2 will not preserve the passwords, and I don't think I can get
Workgroup Manager to work on a non-server OS.
I don't even understand Option 3. I don't see any "Archive" or
"Backup" function in Server Admin.
Anyone have any bright ideas?
Thanks!
Shawn
On Nov 11, 2006, at 9:07 PM, Zack Smith wrote:
Well I would say three ways
One:
If these users are in a exported directory "Open Directory" and not
the local "Netinfo Database" you can pretty easily do this by
setting up the new hardware as a OD replica and then causing an
intentional fail-over by taking down the OLD OD "master" and then
"promoting"/changeing the role in Server Admin on the Replica to -
>"Master" when you switch a replica to be a master the database
become writable and you should have what amounts to be a full and
current(1) copy of the OD and Password/Kerberos Database.The only
house keeping that would be left would be to point any existing
replicas towards the NEW master,and potentially change the clients
Directory Access setting though they may have a cached copy of the
replicas address to fail over to its probably best for timeout
reasons for them to be pointed to the NEW master(2).
Two:
use the export option in Work Group Manager to export the users and
groups respectively and then sneaker net or copy them over to the
new server .This method is flexible in the sense that the accounts
can be in the "local" Netinfo Database or in the "Exported" or
"Parent" Open Directory database.The big disadvantage of this
method is it does not save the authentication authority attribute
or in what basically works to be the users password . So you would
need to reset everyones password and then either have them manually
or managed ,change their respective passwords.This can be done
manually at the accounts pane(3) of the system preferences when
logged in as the Network OD user or can be set to be forced as a
password policy in workgroup manager,and then the users would
receive a prompt at the login window of bound client the next day
or at their next afp connection.Note that while AFP allows password
changes and will prompt the user, its a pretty convoluted set of
steps that are not really automated so most users would have a
better experience at the login window.
Three:
Use the server admin archive option and make a backup,then move the
backup over to new machine.This will export the users in OD (and is
Netinfo IIRC ) and the Password Server and the Kerberos KDC (The
Kerb Principals or "tickets").The huge catch is when you restore
the archive is does a merge and so the hostname ( the IP pretty
much too.) ,searchbase, and Kerberos Realm should all be the
same.so you basically would have to in the this order, make the
archive ,take the OLD machine down, bring up the NEW machine with
the same setting mentioned previously and then most likely wipe or
reconfg the old one with the network connection unplugged.The only
hack for this one is you could run the command line "changeip" to
recursively do a find and replace for the OLD machines data to the-
> NEW machines data and then run the archive so when it was
restored it would match up but thats a little kludgey.
1. The replica would be as current as the last sync wich defaults
to whenever a change is made.
2. You could alleviate this manual reconfiguration in the future by
using option 95 which is a way to push out a ldap url using
DHCP,and is turned on at first boot or can be enabled in directory
access on the client side and is supported on Mac OS X Server /
Windows 2003 and *Nix system via ISC DHCPD to name a few(and on
Apple's Airport Base Stations).Note that there is a potential
security issue is having client implicitly trust DHCP information
for binding info but its probably unlikely unless someone is
specifically targeting macs on say an open wireless network.
3. The users could also use the Kerberos "ticket" app in /System/
Library/CoreServices/Kerberos.app but it does not in my experience
does not always enforce all the password policies so your milage
may vary.
HTH
-Z
----- Original Message -----
From: liyas mamat
[mailto:email@hidden]
To: macos-x-server
[mailto:email@hidden]
Sent: Sat, 11 Nov 2006 18:21:01
-0800
Subject: migrating the user accounts
Dear all,
How do you migrate the user accounts from one server to another?. For
example, I have installed xserve on a small storage machine and
now would
like to transfer all of the user account to a bigger faster g5 xserve
machine. In what directory the xserve os save the user accounts.
What is the
easiest way to do the migration?
