Articles April 11, 2008 at 4:50 pm

OpenDirectory recipe for 10.4 to 10.5 Migration, keeping your SID intact

As part of some self-documentation, I posted on my personal blog exactly what works and where I found the help for getting an OpenDirectory 10.5 Server running from a 10.4 in production box. The twist is that I needed to keep my SID and other PDC functionality that I've inherited up from 10.3.9. Yes, it can be done, and no you can't upgrade. Below is the reprint from my blog which I'm posting here for posterity:

In EE we've migrated over from various AD and OpenLDAP
installations to what we hope is a more manageable solution long term.
Sadly, upgrading OpenDirectory (MacOSX OpenLDAP-based directory
services) from 10.4 to 10.5 doesn't work as Apple states it would.
Here's the complete recipe we used to keep our data, our passwords, and
most importantly, our domain SID. Apple tends to not care about
maintaining the SID in various replica-to-master promotion steps. 

As recommended in the above and from other postings, upgrades do not work. Rather, what needs to be done is this:

10.4 Server:

1) go to Server Admin, OpenDirectory, and under the Archive tab,
generate an archive of the OpenDirectory DB. Place in admin home

2) For safe keeping, go to /var/db/samba and get the secrets.tdb file. Place in admin home directory (readable by all)

get the current SID by running as root/sudo "net getdomainsid EE" where
EE is the domain we are supporting. Place in home directory

4) copy off to a 3rd party machine the above three files/directories

10.5 Server:

1) Install fresh, and use the exact same IP and name as the 10.4
Server. You'll likely need to have these are their own net. Also note
that without a link on the primary interface, smb, dns, and
opendirectory don't work. I suggest connecting to the third party
machine listed above, in my case my laptop's physical connection which
I assign to the private net

2) You'll need DNS setup
temporarily, so create a DNS server for your domain ( and
create a host entry for your self. Point local network settings to self
as DNS server

3) copy over the files saved from 10.4 from the laptop/3rd party machine

4) Make an OpenDirectory Master, using the correct domain "dc=ee,dc=stanford,dc=edu" and correct KRB realm "EE.STANFORD.EDU"

5) import the archive of 10.4

6) run as root "mkpassdb -kerberize"

Create a new PDC config for Windows. Use the directoryadmin
account/password to give samba correct access to the OpenDirectory DB

edit /var/db/smb.conf to fit the /etc/smb.conf entries you had on 10.4.
Likely you'll want to make "local path = " and add "admin users =
directoryadmin, domainjoin, @admin" or the like, where the first is the
directory admin acct, the second is a PDC join account that can't
login, but has directory admin rights. @admin works to include anyone
in admin group

9) run as root "chflags uchg /var/db/smb.conf" to freeze your samba config. Recommend making a copy as well in the same dir.

10) run as root "net setdomainsid (SID)" where SID is the one you saved from 10.4

Go into Workgroup Manager. Change preferences to enable Inspector. Go
into Inspector and select "Config" and then "CIFSServer". The two Value
lines with "xml version.." need to have Edit run against them, and
replace the SID line in each with the SID you just used.

restart Samba/Windows services. Check SID with, as root, "net
getdomainsid" and "net getlocalsid EE" or the like. If anything didn't
stick, do 10, 11 again.

13) before going live, one needs to
remove reference to the local DNS in Network preferences, and
optionally disable DNS service. This setup also was only tested with
Wins service enabled as the WINS Server

14) test, test, test
from Windows including domain logins, enumeration of groups in windows
for adding domain users, etc. Logs may show if accounts are failing.

On Windows, the simple tests you can do involve the utility "nltest"
which is in the free SUPPORT TOOLS (but may not be installed by
default). nltest /? gives commands although OS-X samba only supports
some of them. list PDC and BDCs —

nltest /dclist:your_domain nltest /dclist:ee

Domain 'ee' is pre Windows 2000 domain. (Using NetServerEnum).

List of DCs in Domain ee EE-OD (PDC)

The command completed successfully verify schannel —

nltest /sc_query:your_domain

C:>nltest /sc_query:ee

Flags: 0 Trusted DC Name EE-OD

Trusted DC Connection Status Status = 0 0x0 NERR_Success

The command completed successfully


To do a more detailed check, you can open the Windows Manager and try
to look at the members of the Administrator group for the machine. When
we had trouble, it just showed raw SID numbers, even for EEDomAdmins.
Once it was fixed, then that showed correctly.

Error cheat sheet:

  1. If smb logs show that directoryadmin or domainjoin and the like have
    the "wrong sid" in passdb, you'll need to demote/promote Windows
    Servers to workgroup and back to PDC. You'll need to run "chflags
    nouchg /var/db/smb.conf" first and copy back your copied version after
    repromotion as the file will be rewritten. Do step 9-12 again above

  2. If kerberos isn't effectively working on clients, you may need to
    reimport the archive OpenDirectory, rerun "mkpassdb -kerberize" and
    follow the above demote/promote steps.

Leave a reply

You must be logged in to post a comment.