Migrating NIS users to Open Directory

Was wondering if anyone has any experience with migrating NIS users over to Open Directory? I have setup an Open Directory server (10.6) and am looking to move about 150 users from my NIS server to it.
I can move the users/GIDs easy enough but want to move passwords also so the move it transparent to the users.
Any ideas?
Thanks!

The answer appears to be that as long as your local pre-existing account password matches your domain account, then once the machine is bound, shared servers managed by Active Directory are automatically authenticated. No migration necessary. Only issues I came across had to do with old keychain entries that needed to be removed.
Hope someone out there can learn from my confusion.

Similar Messages

  • SSH user, via Open Directory, can't SUDO...

    On three of my Xserves I have SSH access restricted to a handful of users and these users are Open Directory-based users. Aside from the fact that these users don't have a home directory on the servers they connect to (as they're not local users to those machines), I'm having an issue where, when they try and run a command via SUDO, they get an error stating they are not in the sudoers file and thus can't complete the command.
    I'm wondering if anyone has a solution for this? Should I not be using OD-based users for SSH?
    Thanks,
    Kristin.

    Sure, you can use OD-based users and sudo.
    Maybe add your users to the domain's Administrators group, which, by default, would grant sudo on the member machines. Careful, though, as that's the _domain_ administration group. If you need to restrict access so they can't make domain admin level changes but so they can do just about anything on your member servers and workstations, you could just create a new sudo group, maybe called "sudo-admins" then append an appropriate line to the sudoers files on all of your machines... maybe a line that reads:
    %sudo-admins  ALL=(ALL) ALL
    (standard warning about using caution while editing sudoers goes here -- be careful)

  • How to create email users with open directory?

    I'm trying to used a mac mini as a mail server for my domains. It works well for SMTP server/gateway for multiple locally networked systems running Lion, Mountain Lion and Maverick. The server is running Mavericks 10.9.2 server 3.1.1.
    I need to add email users to it, so I tried Open Directory. I added a user with an email address with a domain listed in the mail server's domains. Then used the server app to give the user permission to use the mail service and selected to have the mail be saved on the server.
    However, even though I set the mail server to accept any authentication method, I couldn't log in to get mail (via IMAP) from any email client on my computer. I tried Mail and Sparrow.
    The IMAP log on the server says 'Disconnected (auth process communication failure)'. I tried everything that I could from the server app and the workgroup manager app. When using 'Mail.app', the IMAP log shows an empty user name. Trying with Sparrow shows the user name in the log, but still fails.
    I restricted authentication to Open Directory, but that didn't help either. Tried with Secure Connection and without.
    Am I missing something? Is there anything that I need to do to make the server accept IMAP connections? The mail service is running and handling SMTP.
    The domain has an MX record pointing the server's domain name.
    All the services are secured with a self signed certificate.
    Doing a CLI check with 'sudo serveradmin fullstatus mail' results in the following:
    [snip]
    mail:protocolsArray:_array_index:0:status = "ON"
    mail:protocolsArray:_array_index:0:kind = "INCOMING"
    mail:protocolsArray:_array_index:0:protocol = "IMAP"
    mail:protocolsArray:_array_index:0:state = "RUNNING"
    mail:protocolsArray:_array_index:0:service = "MailAccess"
    mail:protocolsArray:_array_index:0:error = ""
    [snip]

    Didn't find a way to edit my post above.
    UPDATE:
    Trying to log in with Thunderbird showed differently in the IMAP log. It's user disabled instead.
    imap-login: Info: Disconnected (user disabled): user=<username>, method=CRAM-MD5, rip=192.168.8.101, lip=192.168.8.99, TLS
    How do I 'enable' this user?

  • Windows users and open directory

    Since Server for 10.7 I've found I've had to create Windows users as local users rather than local network users to give them access to shares via SMB. Is this correct, or am I missing something? I was aware that you can't bind a Windows PC to Open Directory, but can it not authenticate at all through OD?
    thanks

    If I understand your question, then you are looking for a tool like Centrify.  This will put all management on one platform.

  • Populating Users With Open Directory Archive

    I have a New 10.8.2 Lion server that I would like to bring all the 10.7.5 users over. what is the best way to do this. It seems that the 10.7.5 arcive is not compatable with 10.8.2.  Any ideas would be great. I can't upgrade the 10.7.5 system becuase its an an old system.

    Didn't find a way to edit my post above.
    UPDATE:
    Trying to log in with Thunderbird showed differently in the IMAP log. It's user disabled instead.
    imap-login: Info: Disconnected (user disabled): user=<username>, method=CRAM-MD5, rip=192.168.8.101, lip=192.168.8.99, TLS
    How do I 'enable' this user?

  • Open Directory users prompted to change password after 10.8 to 10.9 server upgrade

    I just upgraded our 10.8.5 server to 10.9.3. I also upgraded Server.app to the most recent version (3.1.2). I made a complete backup first as a precaution.
    Existing non-admin users are being prompted to change their password when logging in. I've narrowed the problem down to a checkbox in the "Global Password Policy" settings in Server.app, specifically this checkbox: "Passwords must: be reset on first user login". I had that box checked in 10.8 so that new users would be prompted to create a password the first time they logged into a bound computer. It worked great and I'd like to continue using this feature in 10.9.
    If I uncheck this box in Server.app in 10.9.3, existing users can log in just fine with their existing passwords. If I re-check the box, non-admin users are suddenly prompted to change their password when logging in, even though they've logged in countless times in the past.
    Here are some things I've tried:
    * stopping and restarting the Open Directory service in Server.app
    * restarting the server
    * disabling and re-enabling an existing user account
    * inspecting user records in Directory Utility for any peculiar attributes
    * I used the mkpassdb -dump command to verify that the correct "last login time" is present for a particular user, but I'm not enough of an Open Directory expert to know if this is the attribute that the Global Password Policy relies on.
    Does anyone have any other ideas or suggestions?

    UPDATE: It looks like this issue applies to new (post-upgrade) accounts, too, suggesting that this has nothing to do with the upgrade process. Can anyone confirm this behavior? It's easy to test:
    1) Make sure the "Passwords must: be reset on first user login" box is unchecked.
    2) Create a new user in Open Directory.
    3) Log in once. No problem.
    4) Now check the "Passwords must: be reset on first user login" box.
    5) Try to log in again. Were you prompted to change your password? Logically, you shouldn't have been prompted, but users on my server are being prompted.

  • Lightroom Catalog and Apple Open Directory Users

    We are attempting to run Lightroom in our photo journalism classes and we are unable to setup the application because it will not create the Catalog file. 
    All of the users in Open Directory have their OSX 10.8 home folder stored on our Apple Server. This enabled them to log into any one of the computers in the lab and have access to their data/documents.
    Lightroom refuses to create the Catalog file because it treats the home folder as a network folder.
    My predecessor found some way around this in the past but he didn't document it and I can't find any evidence of it either.
    Can anyone help me out here?  Surely there are other people out there trying to use Adobe Products who also utilize Apple's "Open Directory" (its like apple's version of Active Directory).
    The only help online I've found was to try and create symbolic links but even after making symbolic links from the local HD to the Network user Home folder lightroom still refused to create the catalog file.

    its been almost a year and we still don't have any good answers to this issue.
    Lightroom is not usable for any domain/directory enabled accounts because their home directories are stored on the network. 
    Is there anything else we can do?  We do not want them to "share" their catalogs but we really need them to be able to store their catalog on their network home because they do not always use the same computer and policy disallows saving documents or files to the local hard drives for students.

  • Strange login problem with Open Directory

    Hi,
    I created a web tool that calls dscl to create users in Open Directory from a bound web server.
    Most of the accounts work fine. A couple do not. The particular account in question could login to machines in one computer group, but not on others, using the login window. But it could login on the command-line via su.
    Now here's the kicker. I deleted the user completely and re-created the user account with the same login name, and assigned it to the same groups as other new accounts that work fine. The problem persists.
    The only thing I've found that indicates a problem is the following from the ldap log:
    Sep 17 10:36:14 poseidon slapd[61]: Entry (uid=<username changed>,cn=users,dc=<redacted>,dc=<redacted>,dc=<redacted>): object class 'posixAccount' requires attribute 'homeDirectory'
    (note the redactions and username were put in by me...paranoia etc)
    I used 'Inspector' in Workgroup Manager and verified that the account does in fact have the required homeDirectory attribute, and the account is not unlike other accounts that work fine, save the username and unique ID.
    I hope this provides enough info for someone to give some guidance...this is certainly a strange problem.
    Thanks ahead of time!
    -Matt

    Hi,
    I created a web tool that calls dscl to create users in Open Directory from a bound web server.
    Most of the accounts work fine. A couple do not. The particular account in question could login to machines in one computer group, but not on others, using the login window. But it could login on the command-line via su.
    Now here's the kicker. I deleted the user completely and re-created the user account with the same login name, and assigned it to the same groups as other new accounts that work fine. The problem persists.
    The only thing I've found that indicates a problem is the following from the ldap log:
    Sep 17 10:36:14 poseidon slapd[61]: Entry (uid=<username changed>,cn=users,dc=<redacted>,dc=<redacted>,dc=<redacted>): object class 'posixAccount' requires attribute 'homeDirectory'
    (note the redactions and username were put in by me...paranoia etc)
    I used 'Inspector' in Workgroup Manager and verified that the account does in fact have the required homeDirectory attribute, and the account is not unlike other accounts that work fine, save the username and unique ID.
    I hope this provides enough info for someone to give some guidance...this is certainly a strange problem.
    Thanks ahead of time!
    -Matt

  • Migrate existing users from local domains to Open Directory.

    Here is the environment I'm working with:
    Small local environment (8-10) users. Everyone is on their own laptop, everyone is authenticating to their local directories. Network files are stored on a server, with everyone using a single shared user ID to authenticate and access the files.
    I have just installed a Xserve, and it is now serving DNS, DHCP, NTP, WWW. I want to setup Open Directory in Master mode, create user IDs for everyone, and then assign permissions to the shared files area.
    The one part that I'm not sure how to approach is the local laptops. If user "John Doe" has a local ID "jdoe" that he has been using on his local laptop, how does he migrate over to being "jdoe" in the OD domain, while reatining his "local" home directory and files? The problem I think I'll have is that when I create "jdoe" on the domain, he will have a UID of (say) 10001, but his local UID is 501 (as is the UID of all the other employees since they are all the first user on each of their respective laptops.) so when he logs back into his laptop after it has been attached to the OD domain, I assume that the laptop will see "jdoe" from the OD domain as a new user and create a new home for him (with the UID:10001), so now John cannot see any of his old files and such.
    Also, as a side question: I've worked with Windows ID before, and I know once you join a windows computer to a domain and then login to it, it creates a new user and caches the authentication info, so that when the laptop is not connected to the corporate network, the user can still login and work. Does Open Directory do the same on the laptops?
    Thanks for any help.

    Retaining password is a manual process of asking the user what his or her password is and then creating it in OD.
    As for migration of account, it is rather simple, provided the short name of the user remains consistent across directory systems. For example, if you have a user named Joe User and his short name is juser with a home folder in /Users/juser. And you create the same account in OD. You can do these few short actions.
    1: Bind system to the domain
    2: From the Admin account, and using Terminal from root, navigate to /var/db/dslocal/nodes/Default/users and find the plist file for the user (in our example, juser.plist).
    3: Delete the file using rm
    4: Restart the machine or restart Open Directory
    5: Log in as the admin user and change ownership of the users home folder. Recall that when the user is in the local domain, the UID was likely 502, 503, etc (you do have a standard local admin at 501 right?) Now that the user is in OD, the UID will be 4 digits, something like 1027. So understanding that user attributes and user data are independent, you now have a folder in /Users titled juser and owned by uid 50x. You need to make it owned by juser from the OD domain. User this:
    sudo chown -R juser /Users/juser
    6: Log out of the admin account
    7: Log in as the user after choosing Other at login window.
    Assuming you have your OD account set up properly, you will likely be asked to confirm the caching of the users credentials. This will path you right back into the user's home folder and all will be right with the world.
    This is simple and quick. If the shortnames are different, throw an mv into the mix to rename the home folder to match the domain shortname. If you have no local admin, then you will need to reset DSLocal and start again.

  • Define a remote linux nfs home directory for an open directory's user

    Hi,
    I want to migrate from nis to open directory. Everything but "auto homes" looks good. As I create a user with the workgroup manager, under the 'Home' tab, I'm unable to specify a remotre nfs home directory(linux).
    So, I want client01(linux) to authenticate on macsvr01(mac osX 10.6.2 / opendirectory). When authenticated, I want macsvr01 to tell client01 that it's home directory is hosted nfs on linuxsvr01(linux nfs file server).
    When i look the workgroup manager, the only possibility seems to be 'afp'.
    When I try to specificy nfs entries, I can't validate my setting because the 'Ok' button remains grayed out.
    Any suggestions?
    Thank you,
    Luc

    I assume you are creating folders in a file server and its a windows machine , is it ?
    You can install a remote manager on file server or on any other machine in network and execute your scripts remotely using remote manager
    Also you can execute your script like wscript c:\CreateFolder.vbs
    Thanks
    Suren
    Edited by: Suren.Singh on Aug 10, 2010 3:20 PM

  • Open Directory Migration Question

    Setup:
    My company has two servers, both running 10.5.6. We are migrating from the server Fubar (xserve) as it has had a lot of problems and we want to do a fresh install on it (I was not the admin who initially set it up).
    In order to get a 'fresh' OD going, we are recreating all the accounts on the new server Edoras (powerpc mac pro), making sure to preserve UID of the users.
    Problem:
    User A cannot change his password on Edoras after Directory Utility has been changed to point at it. He can change his password locally, but it does not propagate to Edoras, nor does a password change on Edoras affect his local machine.
    The questions I haven't been able to get answers for are:
    * Should the OD search string be different on Fubar and Edoras? Currently our search string is 'dc=fubar,dc=domain,dc=com'.
    * Are there other attributes that have to be setup in OD besides UID? I noticed when using the Target tab in Workgroup Manager that there is a GeneratedUID attribute, does this need to match?
    Thanks for any information/help.

    I did something like this recently. Unfortunately I couldn't get an answer on the Internet and had to re-configure Directory Access on the client machines manually.
    I moved our system from a POwerMac G4 with several upgrades (eSATA card, eSATA Coolgear Enclosure, 7200.11 (yeah I know, bad drives to use) Seagate drives, 1.8 GHz PPC 7447 upgrade, 1.5GB of ram) to a new Mac Pro with a Highpoint RAID controller. The old G4 was very unreliable and couldn't hand
    I had to go to each machine with ARD, open Directory Access, delete the LDAP entry and re-enter it. This was really annoying and confusing for me as the old server and the new server had:
    The same version of OSX (ok, one was a PPC version and I special ordered the Intel version from Apple Tech Support), but they both were running 10.4.11 with the newest security patches.
    The same OD Search Strings
    The same IP Address for the Server
    The same DNS name for the server
    and the same user IDs and group settings
    and I still had to re-do Directory Access using the client machines. Before re-doing the Directory Access re-binding I would try to login. The "other" icon would appear on the loging window, but when I would loging with the correct username and password the login windows would "shake it's head" and wouldn't let me login.
    The biggest pain was that portable directories didn't sync correct anymore, so I had to manually backup, then delete the account, then re-bind, then re-create and restore the portable directory on each laptop manually.
    Unfortunately I do not know the unix command to change directory binding to client computers using ARD. If such a command exists it would make things much easier for you. Does anyone know if a command exists?

  • Changing the Name of an Open Directory Server while preserving users, etc.

    Hi Everyone,
    Not an emergency - but I have been wrestling with this dilemma for almost a year now.
    The good news is nothing has to be done right away. But I will ultimately need a solution.
    We have inherited a server system at a traditional elementary school from a previous IT person who was immature to say the least.
    When he set up the server system, he named the open directory server something that, while innocuous is inappropriate for a school setting.  I am sure he thought it was clever and cheeky at the time. But a few years later it is simply unprofessional. And we are being expected to ultimately be able to change it so something like "XXXdirectory.domainname.edu" The more it hangs around - the longer it looks like we did this and it makes us look unprofessional.
    So here is my dilemma. 
    This is an OD Master with iCal and network homes attached to it. It also runs DNS.
    I would like to set up a new server and name it "xxxdirectory.schooldomainname.edu"
    Setting up the new server is easy and getting all the client machines to bind to it - no problem.
    The problem is how to migrate all the users to the new server.  It seems a restore wont work because if the new server is named differently, the restore will fail. I also can't do a server migration because the stupid name migrates to the new server.
    My old server is 10.5.8 Server.  The new one is 10.7.1 Server . But could be 10.6.8 Server if need be. 
    The main problem is how do I get all the accounts onto a new server with a new OD master name?
    I don't mind command line stuff. So throw whatever you got at me.
    Thanks in advance for your help everyone.  Don't worry - I won't be a pain in the butt or argue.  I just need some good solid guidance, even if it is a "Not possible" answer - at least I have something to tell the administration when they want to know why we can't change the OD Master name from mcnugget.schoolname.edu.
    Please let me know if you need more details.  I am happy to provide.
    Thanks again.
    Tony

    If you don't mind resetting everybodies password then you can export the users and groups and wipe the server for a clean install or turn it into a standalone server then back into od master  then import the users and groups.

  • Moving Mail Users from a Local Directory to Open Directory

    Hi,
    We have been running a standalone mail server for a few years. We have recently upgraded to 10.5 for all of our servers. We have also been running an Open Directory server for the last year or so. Now I am trying to move my email users from the Local Directory on the Mail server to the LDAP server. Obviously we do not want to change account names, so I find I need to delete the local user and then enable the user through the LDAP. This works fine, but I need to bring the original IMAP files/folders forward.
    My question is what is the best practice? I thought backing up the Mail folder in each user's Library and reimporting it would work, but it won't take the IMAP mbox (I can see all the .emlx files in the backup of the user's Mail folder).
    So again, I had a user called user1 in my mail server Local directory say server1. I also have an Open Directory server2 with the same username on it. I have bound server1 to server2. I can see the server2 (OD) accounts on the server1 (mail). I then need to delete user1 from Local server1 directory in order to enable mail to user1 from the OD. This does work, but again, I need bring the mail files/folders to the new OD account on server1.
    thanks,
    mike

    Tony,
    Let me check of the migration manual, thank you!
    I really thought this was going to easier than this. The current accounts are IMAP, and therefore when I "hook up" the new OD account, which doesn't really need anything done on the client side because it is the same username and password and server as the current Local account. When it syncs, the old emails on the IMAP account in the user's Mail program clear since the new OD account is empty on the server.
    I just really thought duplicating the Mail folder in the client's home Library would allow me to import the emails back in. I have tried highlighting the mailboxes (Inbox, and personal folders), archiving them, and then reimporting seemed to work, but I need to beat it up before I start working on live accounts. One account I did try lets me read the emails from the user, but when I try dragging them to the IMAP folders from the import folder, I get a NULL character problem on IMAP append error. NOT to chase that, but it was something else that tripped me up.
    You do bring up a good point, I think the accounts were originally setup as POP and IMAP. I'll chase some ideas about that.
    Let me play around, you've been great considering my awful explanation of this different situation.
    thanks again,
    mike

  • 10.6.8 to Mavericks Server Upgrade loses Open Directory Users

    Hi,
    I have an OpenDirectory Master running OSX Server 10.6.8. An upgrade to Mavericks 10.9 has just failed.
    The server has about 50 OD users and passwords need to be retained across the upgrade. Apart from OD, the only other active service is AFP file sharing.
    DNS is good forward and back as per this article: OS X Server: Steps to take before upgrading or migrating the Open Directory database
    I followed these Apple guidelines for server migration: OS X Server: Upgrade and migration from Lion Server or Snow Leopard Server.
    I cloned the boot drive, booted from the clone, upgraded to Mavericks, then installed the Mavericks Server app.
    On opening the Mavericks Server app "Configuring services' showed for 5 minutes, but then an error message appeared. I did not record it exactly, but it was something like, "There was an error configuring the server. Certificate not valid!".
    I was able to continue through the error but on opening Server app there were no OD (local/network) users showing. Authentication was not happening.
    I had underestimated the time to get the installation done and I had used up the window of downtime I had booked - I did not have much time to troubleshoot. So, I cut back to the original hard drive and the server is back to 10.6.8 again.
    Can anyone point me in the right direction to find out what may have gone wrong? How can I get my users into 10.9 Server?
    Many thanks,
    b.

    Linc Davis advice is spot-on, as usual.
    There seem to be dozens of sub-databases in the LDAP database. A problem in any of them seems to derail the entire conversion process. I tried a straight conversion and was also disappointed that there were unresolved issues, and it meant that the conversion failed.
    So I did the export route using WorkGroup Manager, and exported four sets:
    Users
    Groups
    Computers
    Computer groups
    go to the appropriate pane (e.g., Users) and Select All, then choose Export, and give it a name (probably with an embedded date in case you need to do it again later)
    Then use 10.9 WorkGroup Manager (available as a separate download) to Import.
    When re-imported, everything worked just fine (except the passwords, which cannot be carried forward using this method). I did have to manually enable at least one service, such as File Sharing service in Server [admin], or users showed up as "not allowed" [to log in].
    This entire process of getting Server 3 to work is fraught with peril, and everything converges on ONE diagnostic, "Network users can't log in". Which means you blew it, but provides no additional information about WHERE you blew it.
    There do not appear to be any magic bullets. It is just a tough slog. Users who reported success after failing the first time reported they returned to fundamental principles and did all the steps over, in order, to attain success.

  • Open Directory Migration

    Setup:
    My company has two servers, both running 10.5.6. We are migrating from the server Fubar (xserve) as it has had a lot of problems and we want to do a fresh install on it (I was not the admin who initially set it up).
    In order to get a 'fresh' OD going, we are recreating all the accounts on the new server Edoras (powerpc mac pro), making sure to preserve UID of the users.
    Problem:
    User A cannot change his password on Edoras after Directory Utility has been changed to point at it. He can change his password locally, but it does not propagate to Edoras, nor does a password change on Edoras affect his local machine.
    The questions I haven't been able to get answers for are:
    - Should the OD search string be different on Fubar and Edoras? Currently our search string is 'dc=fubar,dc=domain,dc=com'.
    - Are there other attributes that have to be setup in OD besides UID? I noticed when using the Target tab in Workgroup Manager that there is a GeneratedUID attribute, does this need to match?
    Thanks for any information/help.

    Hello, TechGolem, and welcome to the Appleboards,
    Given that this isn't specifically an Xserve issue you're probably better off asking this question in the group dedicated to Open Directory on 10.5 Server.
    It is here: http://discussions.apple.com/forum.jspa?forumID=1239
    Good luck,
    =Tod

Maybe you are looking for

  • My xml publisher report not display chart/graph in r12 apps

    dear all my xml publisher report is not showing chart/graph in oracle apps r12.1.1, but it's locally preview fine in MS word when i register rtf template in apps it just show data in xml not apply template without chart/graph it's work fine in apps p

  • How to pass more than 3 Items in link of report attribute?

    I have a report with edit link. After user click link, then go to next page. I want to pass more than 3 items in this link, item 1 name=xxx and value=#xxx#. How can I do this? Thanks.

  • Recover powerbook password

    I donated an old PowerBook (from around 2004) to a school in the Philippines but neglected to retain the password and have no record of it. They can't use it without it. I suggested going in as a Guest but there doesn't seem to be that option. Any wa

  • Serious issues updating ipad to 6.1.2

    No problems updating iphone 5 and the mini ipad however my other ipad has caused the pop up error message of -1 and I am unable to do anything!!!!  I was offered restore but am also unable to do this.  cannot move beyond the connect to itunes visual

  • Query Design - Counting orders with specific quantities

    A user has requested a query that will show the number of orders each month for a specific product by order quantity.  So, if the product is ABC, they want to see that in November there were four orders for ABC with a quantity of 1, ten orders with a