Relocating User Accounts

User accounts are sometimes exported from one server and imported to another, while new server installations may have all users created anew. As mentioned in Lesson 7, user accounts can be imported to a server using a third-party application called Passenger. However, it is also very easy to export LDAP users to another server if those accounts already exist in one location on a Mac OS X Server. There are more advanced methods of exporting and importing user accounts, and you should be aware of the options so you can choose the method that best relates to your organization's situation.

Exporting and Importing Users

Once an upgrade plan is in place, it may be necessary to import users from another directory service. Perhaps an AppleShare IP server was used successfully for several years, and it is time to upgrade both the hardware and software. Or perhaps a Windows NT server is being replaced. No matter what directory service is being replaced or augmented, certain criteria must be met before a user can be imported into Mac OS X Server. These criteria take the form of values, attributes, and records. Values are, well, values, such as 501, mwhite, Michelle White, 123 Main St, and can include such information as the shell type (bash in the case of Mac OS X).

Determining Export Requirements

Servers periodically are replaced. Perhaps hardware is changed or the platform is switched. When dealing with user databases, it is important to understand how to properly export user records.

Exporting NetInfo Accounts

Mac OS X and Mac OS X Server use a NetInfo database (NIDB) to store local (not shared) user records. All user attributes and values are stored there with the exception of the user's password, which is stored as a SHA-1 encrypted password located in /var/db/shadow/hash. The name of the file is the generated unique ID for each user at the time of account creation. That generated unique ID value is also stored in the generateduid attribute. NetInfo uses that value to locate the file of the same name to authenticate the user when necessary.

For example, when a user is created and given a password, her record in the local NIDB may have attributes and associated values such as those seen below.

Subsequently, exports of the local NIDB will not grab the user's password, but only the file name of the password (which is the value for generateduid).

When exporting NetInfo data, you can use the nidump command-line utility:

 nidump -r /users / > ~/Desktop/mynidbusers 

The next step is to archive the contents of the /var/db/shadow/hash/ directory and move it to the new computer. You may also have to change ownership of the newly-moved files, depending on how you transferred them.

Finally, when a user logs in for the first time, his home directory is created, if none exists. If you archived and moved all the users' home directories, then no further action need be taken. You have successfully migrated local NetInfo users from one computer (such as an older server) to a newer server. These users are still in the local NetInfo database with shadow hash passwords.

Note

While it is important to understand the process involved in handling NetInfo users, it should only be done in emergencies. Ideally, a Mac OS X Server has all accounts in the LDAP directory, and not the NetInfo directory, as NetInfo accounts cannot take full advantage of the granularity offered by an Open Directory master (which is Apple's terminology for running a Lightweight Directory Access Protocol (LDAP) database, the Password Server, and possibly a Kerberos Key Distribution Center). For more information on Open Directory masters and Open Directory in general, refer to the companion book, Apple Training Series: Mac OS X System Administration Reference, Volume 1).

Exporting LDAP Accounts

If you have a Mac OS X Server with LDAP accounts, and you wish to export those accounts, open Workgroup Manager, authenticate, and select your LDAP domain. Select all the users you wish to export from the user's list and choose the Export option from the Server menu, as shown below.

More Info

You can also export group and computer accounts in the same fashion. Since group and computer accounts do not require passwords, there is no real need to custom edit this file.

When exporting users, you are informed that user passwords are not exported, which is for security reasons. This is because passwords are supposed to be secure and nonrecoverable. This is an excellent practice when dealing with security and should not be bypassed. PasswordServer is Apple's process for handling secure storage of passwords for users in a shared (LDAP) database on Mac OS X Server. PasswordServer was designed as a once-in-never-out system. Passwords go in, but they don't come out.

If you wish to set user's passwords prior to importing the users into the new server, you can edit the exported file. You can edit the file after the fact to add user passwords into it. Below is a standard export header from an exported user file:

 0x0A 0x5C 0x3A 0x2C dsRecTypeStandard:Users 38 dsAttrTypeStandard:RecordName dsAttrTypeStandard:GeneratedUID dsAttrTypeStandard:Password dsAttrTypeStandard:PasswordPolicyOptions dsAttrTypeStandard:UniqueID dsAttrTypeStandard:PrimaryGroupID dsAttrTypeStandard:Comment dsAttrTypeStandard:Expire dsAttrTypeStandard:Change dsAttrTypeStandard:RealName dsAttrTypeStandard:NFSHomeDirectory dsAttrTypeStandard:HomeDirectoryQuota dsAttrTypeStandard:UserShell dsAttrTypeStandard:PrintServiceUserData dsAttrTypeStandard:HomeDirectory dsAttrTypeStandard:MailAttribute dsAttrTypeStandard:MCXSettings dsAttrTypeStandard:Keywords dsAttrTypeStandard:Picture dsAttrTypeStandard:MCXFlags dsAttrTypeStandard:SMBHome dsAttrTypeStandard:SMBHomeDrive dsAttrTypeStandard:SMBProfilePath dsAttrTypeStandard:SMBScriptPath dsAttrTypeStandard:FirstName dsAttrTypeStandard:LastName dsAttrTypeStandard:Street dsAttrTypeStandard:City dsAttrTypeStandard:State dsAttrTypeStandard:PostalCode dsAttrTypeStandard:Country dsAttrTypeStandard:WeblogURI dsAttrTypeStandard:EMailAddress dsAttrTypeStandard:PhoneNumber dsAttrTypeStandard:MobileNumber dsAttrTypeStandard:FAXNumber dsAttrTypeStandard:PagerNumber dsAttrTypeStandard:IMHandle 

Even though it appears that each of these is on one line, in fact there is no carriage return until after the last line, which in this case ends with IMHandle. Examining the top line of the file, you can seein this examplethe number 38, which indicates that there are 38 types of attributes in this user record (which is the record type that is listed at the beginning of the file, shown here as dsRecTypeStandard:Users).

After this section there is a carriage return followed by the first user account and the associated attributes:

 artie:266E8F7D-E039-4668-8B45-BDFC7CB514A5::isDisabled=0 isAdminUser=0 newPasswordRequired=0 usingHistory=0 canModifyPasswordforSelf=1 usingExpirationDate=0 usingHardExpirationDate=0 requiresAlpha=0 requiresNumeric=0 expirationDateGMT=0 hardExpireDateGMT=0 maxMinutesUntilChangePassword=0 maxMinutesUntilDisabled=0 maxMinutesOfNonUse=0 maxFailedLoginAttempts=0 minChars=0 maxChars=0 passwordCannotBeName=0 requiresMixedCase=0 notGuessablePattern=0 isSessionKeyAgent=0:2003:20::::Artie Fang:/Network/Servers/mini.osxit.com/Users/artie::/bin/bash::<home_dir><url> afp\://mini.osxit.com/Users</url><path>artie</path></home_dir>:::Vol. 2,Flagged for behavior concerns::<?xml version="1.0" encoding="UTF-8"?>\ <!DOCTYPE plist PUBLIC "-//Apple Computer//DTD PLIST 1.0//EN" "http\://www.apple.com/DTDs/PropertyList-1.0.dtd">\ <plist version="1.0">\ <dict>\           <key>simultaneous_login_enabled</key>\           <false/>\ </dict>\ </plist>\ :::::Artie:Fang:::::::::::: 

The first thing to notice is that there is one carriage return right before the </dict>\ line. Anything after that line is managed preference information.

Also important to note is the information above that line, which matches one-for-one against the attribute list in the top of the file. If you look closely, you will see instances in which more than one colon appears side by side. A look at the first line of the file shows two colons before the isDisabled=0 value. These empty entries correspond to the actual attributes shown in the beginning of the file.

You can enter attributes in the beginning of the file as long as you enter the appropriate data for each user later in the file. Viewing the following list at the header of a file shows that one attribute was added, dsAttrTypeStandard:AuthMethod

 0x0A 0x5C 0x3A 0x2C dsRecTypeStandard:Users 39 dsAttrTypeStandard:RecordName dsAttrTypeStandard:GeneratedUID dsAttrTypeStandard:AuthMethod dsAttrTypeStandard:Password dsAttrTypeStandard:PasswordPolicyOptions dsAttrTypeStandard:UniqueID dsAttrTypeStandard:PrimaryGroupID dsAttrTypeStandard:Comment dsAttrTypeStandard:Expire dsAttrTypeStandard:Change dsAttrTypeStandard:RealName dsAttrTypeStandard:NFSHomeDirectory dsAttrTypeStandard:HomeDirectoryQuota dsAttrTypeStandard:UserShell dsAttrTypeStandard:PrintServiceUserData dsAttrTypeStandard:HomeDirectory dsAttrTypeStandard:MailAttribute dsAttrTypeStandard:MCXSettings dsAttrTypeStandard:Keywords dsAttrTypeStandard:Picture dsAttrTypeStandard:MCXFlags dsAttrTypeStandard:SMBHome dsAttrTypeStandard:SMBHomeDrive dsAttrTypeStandard:SMBProfilePath dsAttrTypeStandard:SMBScriptPath dsAttrTypeStandard:FirstName dsAttrTypeStandard:LastName dsAttrTypeStandard:Street dsAttrTypeStandard:City dsAttrTypeStandard:State dsAttrTypeStandard:PostalCode dsAttrTypeStandard:Country dsAttrTypeStandard:WeblogURI dsAttrTypeStandard:EMailAddress dsAttrTypeStandard:PhoneNumber dsAttrTypeStandard:MobileNumber dsAttrTypeStandard:FAXNumber dsAttrTypeStandard:PagerNumber dsAttrTypeStandard:IMHandle 

When viewing a user account, you can see that an authentication method and password have been added. (In this case, the password is abc123.)

 artie:dsAuthMethodStandard\:dsAuthClearText:apple123:266E8F7D-E039-4668-8B45- BDFC7CB514A5::isDisabled=0 isAdminUser=0 newPasswordRequired=0 usingHistory=0 canModifyPasswordforSelf=1 usingExpirationDate=0 usingHardExpirationDate=0 requiresAlpha=0 requiresNumeric=0 expirationDateGMT=0 hardExpireDateGMT=0 maxMinutesUntilChangePassword=0 maxMinutesUntilDisabled=0 maxMinutesOfNonUse=0 maxFailedLoginAttempts=0 minChars=0 maxChars=0 passwordCannotBeName=0 requiresMixedCase=0 notGuessablePattern=0 isSessionKeyAgent=0:2003:20::::Artie Fang:/Network/Servers/mini.osxit.com/Users/artie::/bin/bash::<home_dir><url> afp\://mini.osxit.com/Users</url><path>artie</path></home_dir>:::Vol. 2,Flagged for behavior concerns::<?xml version="1.0"encoding="UTF-8"?>\ <!DOCTYPE plist PUBLIC "-//Apple Computer//DTD PLIST 1.0//EN" "http\://www.apple.com/DTDs/PropertyList-1.0.dtd">\ <plist version="1.0">\ <dict>\               <key>simultaneous_login_enabled</key>\               <false/>\ </dict>\ </plist>\ :::::Artie:Fang:::::::::::: 

Care must be taken if this approach is used, as one small error can affect all the users being imported. A proper template file is useful in this case.

Another method of exporting and importing users is to use the Lightweight Directory Interchange Format (LDIF). Refer to Apple Training Series: Mac OS X System Administration Reference, Volume 1 for more information on the LDIF format and using the command-line tools. There are plenty of ldap options that allow for much finer control of how accounts are exported and subsequently imported, and they are not limited to user, group, or computer accounts, as is Workgroup Manager.

Regardless of how the users, groups, or computer accounts are exported, you should keep a template file handy for comparison purposes, just in case an import of the same file does not go as planned. Comparing a newly imported file with a file that has been successfully imported in the past is the best way to troubleshoot an import issue. To do this, try exporting two test users (who have been created just for this purpose) when your server is working properly. Delete the user accounts from the server and then attempt to import the file to import the users in the file. You'll want to practice this to ensure a smooth export/import, as it's very likely you will be under pressure to perform the task should a catastrophic failure or other serious mishap befall your server.

Establishing Import Specifications

Just as important as exporting accounts is establishing how they are imported. You'll also want to optimize the importation of user data to streamline your process and reduce the potential for errors.

Importing NetInfo Accounts

To import NetInfo users, you can use the command

 niload -r /users / < ~/Desktop/mynidbusers 

when the path at the end of the command is the path to your previously exported file.

Care must be taken to not overwrite accounts that may have the same user ID on the new account.

Importing LDAP Accounts

Mac OS X Server's LDAP directory requires certain attributes and associated values when importing users if the user experience is to be satisfactory. When moving from one LDAP database to another LDAP database, the Import and Export menu options under File > Import and File > Export handle most of the duties and is the preferred way of transferring user accounts.

When you are importing users who may not have come from another Mac OS X Server export file, whom you want to make changes to the user IDs and Group IDs, or whom you want to be based on a preset, it is important to choose your options wisely, as seen in the following figure. Also, setting the Logging Detail to Detailed will help provide information when things don't go quite as expected. Choosing a preset is an excellent way to reduce the amount of time spent tweaking each user's settings.

Again, the one component where you will have to make a change is the password. Unless you have specifically set up the file to be imported with passwords, you will have to reset every user's password. This is not as difficult as it seems.

You simply import the file, select all the users, and do a mass change of password to a known single password. Then, you check the box that requires the password to be changed at the next login, as shown below.

This forces all users, whose passwords currently are all identical, to change their passwords as soon as they log in.

Creating User Accounts

As opposed to importing users, they can always be created from scratch. Before creating user accounts, ensure that you have all the correct information in front of you. It's a good idea not to write down user passwords unless you are certain during the creation process that no one can see the papers and that you can destroy the papers after the user creation is finished.

Adding Basic Information

The Basic pane is used to enter the user's long name, short name, and password. You can add more short names and restrict the user from temporarily logging in, as well as allow various administrative abilities.

The Basic pane of Workgroup Manager's user account creation pane.

Viewing Advanced Options

In the Advanced pane are the options to change the shell type and password type, and add comments and keywords. You can also adjust the user's password variables by clicking the Options button.

In the Advanced pane are controls for password variables and simultaneous logins, among other options.

Viewing Group Association

The Groups pane shows the groups of which the user is a member, and includes the option to show any nested groups, as shown in the following figure. You can also change the user's primary group ID.

Locating the Home Folder

The Home pane is used to direct the user account to locate its home folder by providing a path to that folder. (This setting is managed by the server administrator.) Every possible location for a home folder that is initially listed must be a share point on the server; however, the home folder can be located on any folder on any server, over the AFP, SMB, or NFS protocol.

Once you choose a folder location, clicking the Create Home Now button automatically will create the home folder template when you click the Save button. A quota can also be placed on every location where that user has write access on the volume containing her home folder.

Setting Mail and User Information

The Mail and Info panes are used to add an email address (or forward email to another address) and to enter user information such as address, city, state, zip code, and phone number.

Setting Printer Quotas

Each user can have printer quotas; that is, users can be restricted as to the printer queues to which they can print and the number of pages per printer. Quotas that have been exceeded can be reset by clicking the Restart Print Quota button.