Upgrade from NethServer 6

The upgrade from NethServer 6 to NethServer 7 is obtained by means of three methods:

Warning

Before running the upgrade procedure, read carefully all the sections of this chapter. Please also read Discontinued packages.

Note

During the whole upgrade process, all network services will be inaccessible.

Accounts provider

There are different upgrade scenarios, depending on how the source machine was configured.

  • If the source system was a NT Primary Domain Controller (Samba server role was Primary Domain Controller – PDC) or a standalone file server (role was Workstation – WS), refer to Primary Domain Controller and Workstation upgrade.

  • If the source system was joined to an Active Directory domain (Samba server role was Active Directory member – ADS), refer to Active Directory member upgrade.

  • In any other case, the LDAP server is upgraded automatically to local LDAP accounts provider, preserving existing users, passwords and groups.

Primary Domain Controller and Workstation upgrade

After the restore procedure, go to Accounts provider page and select the Upgrade to Active Directory procedure. The button will be available only if network configuration has already been fixed accordingly to the new hardware.

The following accounts are ignored by the upgrade procedure because they are already provided by Samba Active Directory:

  • administrator

  • guest

  • krbtgt

An additional, free, IP address from the green network is required by the Linux container to run the local Active Directory accounts provider.

For instance:

  • server IP (green): 192.168.98.252

  • free additional IP in green network: 192.168.98.7

Ensure there is a working Internet connection:

# curl -I http://packages.nethserver.org/nethserver/
HTTP/1.1 200 OK

For more information about the local Active Directory accounts provider, see Samba Active Directory local provider installation.

Shared folder connections may require further adjustment.

Warning

Read carefully the Shared folders section, because the connection credentials may change when upgrading to NethServer 7.

The upgrade procedure preserves user, group and computer accounts.

Warning

Users not enabled for Samba in NethServer 6 will be migrated as locked users. To enable these locked users, the administrator will have to set a new password.

Active Directory member upgrade

After restoring the configuration, join the server to the existing Active Directory domain from the web interface. For more information see Join an existing Active Directory domain.

At the end, proceed with data restore.

Warning

Mail aliases from AD server are not imported automatically!

Shared folders

Shared folders have been split into two packages:

  • “Shared folders” page configures only Samba SMB shares; it provides data access using CIFS/SMB protocol and can be used to share files among Windows and Linux workstations

  • The “Virtual hosts” panel provides HTTP and FTP access, it has been designed to host web sites and web applications

SMB access

In NethServer 7 the SMB security model is based on Active Directory. As consequence when upgrading (or migrating) a file server in Primary Domain Controller (PDC) or Standalone Workstation (WS) role the following rule apply:

When connecting to a shared folder, the NetBIOS domain name must be either prefixed to the user name (i.e. MYDOMAIN\username), or inserted in the specific form field.

The upgrade procedure enables the deprecated 1 NTLM authentication method to preserve backward compatibility with legacy network clients, like printers and scanners.

Warning

Fix the legacy SMB clients configuration, then disable NTLM authentication.

  • Edit /var/lib/machines/nsdc/etc/samba/smb.conf

  • Remove the ntlm auth = yes line

  • Restart the samba DC with systemctl -M nsdc restart samba

1

Badlock vulnerability http://badlock.org/

HTTP access

Every shared folder with web access configured in NethServer 6 can be migrated to a virtual host directly from the web interface by selecting the action Migrate to virtual host. After the migration, data inside the new virtual host will be accessible using only FTP and HTTP protocols.

See also Virtual hosts for more information about Virtual hosts page.

Mail server

All mailboxes options like SPAM retention and quota, along with ACLs, user shared mailboxes and subscriptions are preserved.

Mailboxes associated to groups with Deliver the message into a shared folder option enabled, will be converted to public shared mailboxes. The public shared folder will be automatically subscribed by all group members, but all messages will be marked as unread.

TLS policy

In NethServer 7 the services configuration can adhere to TLS policy. Before upgrading, the network clients must be checked against the available policy identifiers.

Warning

An old network client can fail to connect if its TLS ciphers are considered invalid

The policy identifier selected by the upgrade procedure depends on the NethServer version and is documented in Release notes 7.

Let’s Encrypt

Let’s Encrypt certificates are restored during the process, but will not be automatically renewed.

After the upgrade process has been completed, access the web interface and reconfigure Let’s Encrypt from the Server certificate page.

Owncloud and Nextcloud

In NethServer 7, Owncloud has officially been replaced by Nextcloud.

However Owncloud 7 is still available to avoid service disruption after the upgrade.

Note

In case of upgrade from local LDAP to Samba AD, user data inside Owncloud will not be accessible either from the web interface or desktop/mobile clients. In such case, install and migrate to Nextcloud after the upgrade to Samba Active Directory has been completed.

From Nextcloud 13, the migration from Owncloud to Nextcloud is not supported anymore.

Users should replace Owncloud clients with Nextcloud ones 2, then make sure to set the new application URL: https://<your_server_address>/nextcloud.

2

Nextcloud clients download https://nextcloud.com/install/#install-clients

Perl libraries

In NethServer 7, perl library NethServer::Directory has been replaced by NethServer::Password. Please update your custom scripts accordingly.

Example of old code:

use NethServer::Directory;
NethServer::Directory::getUserPassword('myservice', 0);

New code:

use NethServer::Password;
my $password = NethServer::Password::store('myservice');

Documentation available via perldoc command:

perldoc NethServer::Password

Upgrade from backup

  1. Make sure to have an updated backup of the original installation.

  2. Install NethServer 7 using the most recent ISO and complete the initial steps using the first configuration wizard. The new machine must have the same hostname of the old one, to access the backup set correctly. Install and configure the backup module.

  3. Restore the configuration backup using the web interface. The network configuration is restored, too! If any error occurs, check the /var/log/messages log file for further information:

    grep -E '(FAIL|ERROR)' /var/log/messages
    
  4. If needed, go to Network page and fix the network configuration accordingly to the new hardware. If the machine was joined to an existing Active Directory domain, read Active Directory member upgrade.

  5. Complete the restore procedure with the following command:

    restore-data -b <name>
    

    where name is the name of the configured data backup.

    Note

    By default, the name of the backup-data configured on NethServer 6 is backup-data

  6. Check the restore logs:

    /var/log/restore-data.log
    /var/log/messages
    
  7. Each file under /etc/e-smith/templates-custom/ must be manually checked for compatibility with version 7.

Warning

Do not reboot the machine before executing the restore-data procedure.

Upgrade with rsync

The process is much faster than a traditional backup and restore, also it minimizes the downtime for the users.

Before starting make sure to have:

  • a running NethServer 6 installation, we will call it original server or source server

  • a running NethServer 7 installation with at least the same disk space of the source server, and latest updates installed; we will call it destination server

  • a working network connection between the two severs

Please also make sure the source server allows root login via SSH key and password.

Sync files

The synchronization script copies all data using rsync over SSH. If the destination server doesn’t have any SSH keys, the script will also a pair of RSA keys and copy the public key to the source server. All directories excluded from the backup data will not be synced.

On the target machine, execute the following command:

screen rsync-upgrade <source_server_name> [ssh_port]

Where

  • source_server_name is the host name or IP of the original server

  • ssh_port is the SSH port of the original server (default is 22)

Example:

screen rsync-upgrade mail.nethserver.org 2222

When asked, insert the root password of the source server, make a coffee and wait patiently.

The script will not perform any action on the source machine and can be invoked multiple times.

Sync and upgrade

If called with -u option, rsync-upgrade will execute a final synchronization and upgrade the target machine.

Example:

screen rsync-upgrade -u mail.nethserver.org 2222

The script will:

  • close access to every network service on the source machine (except for SSH and httpd-admin)

  • execute pre-backup-config and pre-backup-data event on the source machine

  • sync all remaining data

  • execute restore-config on the destination machine

If rsync-upgrade terminates without loosing the network connection,

  1. Disconnect the original ns6 from network, to avoid IP conflict with the destination server

  2. Access the server manager UI and fix the network configuration from the Network page

Otherwise, if during rsync-upgrade the network connection is lost, it is likely that the source and destination servers have an IP conflict:

  1. Disconnect the original ns6 from network,

  2. From a ns7 root console run the command:

    systemctl restart network
    
  3. Then grab the screen device:

    screen -r -D
    

At the end of rsync-upgrade run the following steps:

  1. If the source system was a NT Primary Domain Controller (Samba server role was Primary Domain Controller – PDC) or a standalone file server (role was Workstation – WS), refer to Primary Domain Controller and Workstation upgrade.

  2. If the source system was joined to an Active Directory domain (Samba server role was Active Directory member – ADS), refer to Active Directory member upgrade.

  3. Go back to the CLI and call the post-restore-data event on the destination machine:

    signal-event post-restore-data
    
  4. Check the restore logs for any ERROR or FAIL message:

    /var/log/restore-data.log
    /var/log/messages
    
  5. Each file under /etc/e-smith/templates-custom/ must be manually checked for compatibility with version 7.

Warning

Do not reboot the machine before executing the post-restore-data event.

Upgrade with Upgrade tool

The Upgrade tool module make it possible an in-place upgrade of NethServer from version 6 to version 7 with an automated procedure.

Please refer to the Upgrade tool page of NethServer 6 Administrator Manual.