Upgrade paths to ns7

I know from past requests in this forum that many of you are interested in this topic :blush:

My goals are (in order of precedence)

  1. restore from backup of ns6
  2. support for the migration-import procedure for SME Server 8 (and 9?) / Nethesis NethService 8
  3. in-place upgrade of ns6 (that could benefit from reaching goal 1)

I wrote down some notes on the wiki, and I would very happy to receive your feedback and contributions along with further requirements!

http://wiki.nethserver.org/doku.php?id=developer:ns7_upgrade

4 Likes

Well, there are some things to fix, but I succeeded on restoring a backup-config from ns6 to Samba Active Directory!

The challenging part is the User and Group module. I started with a “do-nothing” strategy :blush:

The restore procedure installs all modules listed by the backup, including nethserver-directory. In the end, ns7 has a running OpenLDAP instance with old accounts. That’s fine if OpenLDAP is the desired account provider. But I did something more:

  1. removed nethserver-directory: rpm -e nethserver-directory
  2. install nethserver-dc and configure things by hand to avoid initial domain provision
  3. copy secrets.tdb and smb.conf from ns6 into nsdc, under a temporary location, say /srv
  4. delete any primary group node from the ou=Groups branch, in LDAP. Samba does not accept a group that is named like an user!
  5. adjust LDAP ACLs, to allow samba access from nsdc IP
  6. log on nsdc and run classic upgrade with custom smb.conf and secrets.tdb
  7. run sssd join procedure manually

The users’ passwords and groups compositions were migrated correctly. I still have to check workstation accounts.

I listed this procedure as “Solution 3” on

http://wiki.nethserver.org/doku.php?id=developer:ns7_upgrade#issue_2_-_nethserver-dc

2 Likes

The user name format changed from the traditional ns6 username format, to the sssd upstream default username@domain format. As we’ve seen here, this is an issue for everyone trying to log on the machine with samba or ssh, or even the server-manager: the @domain suffix is frequently omitted and nothing works as expected. :-1:

Moreover, when migrating from an existing ns6 environment, any network client is configured with the traditional username format, and for this reason it should be reconfigured :-1:

Luckily there’s a workaround for this! My first experiments with, ssh, postfix, dovecot, ejabberd and webtop4 are encouraging! :+1:

http://wiki.nethserver.org/doku.php?id=developer:ns7_upgrade#issue_5_-_pam-based_services

The configuration seems compatible with ns6 and ns7 (OpenLDAP). The nethserver-dc module still requires testing.

1 Like

For nethserver-sogo the MySQl db still indexes users on the short username (ie Ldap:uid AD: sAMAccountName)

This makes migration less complicated, user entry’s for SOGo in MySQL don’t have to be renamed.
Can be done if necessary.

1 Like

Slightly off topic, but it fits in with the comments by @davidep above about handling users.

The change to the sssd format is possibly going to cause issues to people like me, and others, who run Plex, plus possibly @rolf, who asked some questions about running squeezebox, where the software assumes it can add a user, then runs as that user and access it’s data, which quite possibly is on a Samba shared location, where access has been granted.

Cheers.

If the added user has /etc/passwd as backend, there should not be any big issue as long as the filesystem owner is preserved on the Samba shared folder.

But the filesystem owner isn’t the user added to /etc/passwd.

It relies on that owner being part of a filesharing group that is given permissions.

Cheers.

Sorry we’re going too far, I don’t get you: probably I’m missing something important!

Would you mind opening a new topic or pointing me to an existing one?

Good news! I confirm we can use “short usernames” on nethserver-dc, too: @EddieA

[root@nethservice ~]# getent passwd administrator
administrator:*:408400500:408400513:Administrator:/var/lib/nethserver/home/administrator:/usr/libexec/openssh/sftp-server
[root@nethservice ~]# getent passwd administrator@nethesis.it
administrator@nethesis.it:*:408400500:408400513:Administrator:/var/lib/nethserver/home/administrator:/usr/libexec/openssh/sftp-server
2 Likes

Do I need to wait for an update to test this:

[root@Nethserver-Beta ~]# getent passwd eddie
[root@Nethserver-Beta ~]# getent passwd eddie@bogolinux.net
eddie@BogoLinux.net:*:1736601105:1736600513:eddie:/var/lib/nethserver/home/eddie:/bin/bash
[root@Nethserver-Beta ~]#

Cheers.

Yes, it has not been released. Meanwhile you could modify sssd.conf by hand and restart sssd daemon, following the example on the wiki page:

http://wiki.nethserver.org/doku.php?id=developer:ns7_upgrade#issue_5_-_pam-based_services

1 Like

@davidep
Thank you. That appears to work perfectly, once I’d convinced the Plex configuration that it’s id really doesn’t have to be, or need to be, in a group called plex in order for systemd to start it. And I can add plex to my filesharing group. :grinning:

I did see one error thrown though, but it didn’t seem to cause any issues:

Nov  3 10:00:12 Nethserver-Beta esmith::event[2809]: ERROR(exception): Failed to remove members "Domain,Guests,Guest" from group "fileshare" - Unable to find "Domain". Operation cancelled.
Nov  3 10:00:12 Nethserver-Beta esmith::event[2809]:  File "/usr/lib64/python2.7/site-packages/samba/netcmd/group.py", line 278, in run
Nov  3 10:00:12 Nethserver-Beta esmith::event[2809]:    add_members_operation=False)
Nov  3 10:00:12 Nethserver-Beta esmith::event[2809]:  File "/usr/lib64/python2.7/site-packages/samba/samdb.py", line 274, in add_remove_group_members
Nov  3 10:00:12 Nethserver-Beta esmith::event[2809]:    raise Exception('Unable to find "%s". Operation cancelled.' % member)
Nov  3 10:00:13 Nethserver-Beta esmith::event[2809]: Added members to group fileshare
Nov  3 10:00:13 Nethserver-Beta esmith::event[2809]: [ERROR] Failed to update the members list of group fileshare at /etc/e-smith/events/group-modify/S40nethserver-dc-group-modify line 80.
Nov  3 10:00:13 Nethserver-Beta esmith::event[2809]: Action: /etc/e-smith/events/group-modify/S40nethserver-dc-group-modify FAILED: 1 [3.679111]

Cheers.

1 Like

do you have planned something when it could be released, it might change a lot for me :slight_smile:

If everything is fine, we’ll ship it with rc2. A testing package next week I hope!

Did you already check out the workaround?

I did it but it doesn’t work as expected.

[root@NS7DEV2 ~]# rpm -qa nethserver-sssd
nethserver-sssd-1.0.6-1.17.gdac664a.ns7.noarch

[root@NS7DEV2 ~]# rpm -qa nethserver-directory
nethserver-directory-3.0.2-1.ns7.noarch

does it should work only with nethserver-dc

[root@NS7DEV2 ~]# getent passwd stephane
[root@NS7DEV2 ~]# getent passwd stephane@stephdl.xxx.org
stephane@stephdl.xxx.org:*:1001:1001:stephane:/var/lib/nethserver/home/stephane:/usr/libexec/openssh/sftp-server

EDIT: in fact the rpm is not the good one :frowning:

There’s no rpm yet! The workaround is a cut-paste to sssd.conf!

Yep it was what I discovered myself :slight_smile:

In fact no errors in logs, I can authenticate with tt-rss which relies on pam also.

It should be added ASAP

2 Likes

Nextcloud also works with nethserver-directory and the sssd trick

2 Likes

A package is available from testing!

yum localinstall http://packages.nethserver.org/nethserver/7.2.1511/testing/x86_64/Packages/nethserver-sssd-1.0.6-1.9.g67cc734.ns7.noarch.rpm
1 Like

As a side note a clear statement on deprecated/replaced packages, and migration between them might be helpful when the final version is released, extending the present release notes.

Upgrade from v6.x to v7, and maintenance period of current packages (this might already been answered somewhere).

This will fill the gaps on common questions like, for instance,

1 Like