Note: Cool Solutions are articles documenting additional functionality based on Univention products. Not all of the shown steps in the article are covered by Univention Support. For questions about your support coverage contact your contact person at Univention before you want to implement one of the shown steps.
The built-in domain structure of UCS allows the setup of systems with the role UCS Backup to take over the function of the UCS Master. However, at least two servers are needed to utilise this feature. The following guide will therefore describe how to manually save and restore OpenLDAP, Samba/AD and the user’s home directories in a single server environment.
Warning: Do NOT use this guide if you have more than one UCS server in your domain
Note: This guide has to be executed manually. It is not designed to be executed as an automatically running script
Note: This guide is only designed to restore the most elemental and crucial settings and files. Addition shares, functions and services - including their settings - have to be saved in addition to this guide.
Note: For the purpose of this guide, we will assume, that there are no changes to the system, other than those made by UCR and through installed packages
Files to Backup
To restore the system later, a number of files have to be backed up. We differentiate these files by their purpose.
Some of these backup files are created by cronjobs and only exist after the cronjob executed successfully. The respective scripts will be mentioned and can be executed manually as well to create up to date backups.
For the purpose of this guide we will assume, that all files will be backed up under the prefix /mnt/backup with their original path following.
/home/Administrator/file.txt would thus turn into the backup /mnt/backup/home/Administrator/file.txt.
/var/univention-backup
The directory /var/univention-backup contains the LDAP backup as well as the backups for Samba and the Univention Config Registry. It is therefore essential that the whole folder is backed up. The respective cronjobs which creates these backups are located at /etc/cron.d being called
/etc/cron.d/univention-config-registry-backup
/etc/cron.d/univention-ldap-server
/etc/cron.d/univention-samba4-backup
Machine Passwords
In addition to the LDAP, a number of passwords used to manage the server are needed. These can be found in /etc/ and are only readable by root.
It is recommended, that you backup all .secret files stored in /etc/.
The following files are the essentials:
/etc/backup-join.secret
/etc/idp-ldap-user.secret
/etc/ldap-backup.secret
/etc/ldap.secret
/etc/libnss-ldap.secret
/etc/listfilter.secret
/etc/machine.secret
/etc/pam_ldap.secret
/etc/slave-join.secret
Software Revision
To save the package revision for a later restore, run the following command:
dpkg --get-selections '*' > /mnt/backup/selection_dpkg_$(date +%Y%m%d).txt
ucr search --value 'installed' | awk -F '/' '/installed/ {print $3}' > /mnt/backup/selection_univention_$(date +%Y%m%d).txt
Software Revision alternative
A may be more convenient way to save and restore your software revisions is by using apt-clone (which saves software list and sources) in addition with dpkg-repack (which backups additional packages). To do so you have to install both tools from the unmaintained repository:
ucr set repository/online/unmaintained='yes'
univention-install apt-clone dpkg-repack
Create the backup on the old server:
apt-clone clone --with-dpkg-repack /mnt/backup/
Restore the Backup on the new destination machine:
apt-clone restore *.tar.gz
User Home Directories
By default, the user home and profile directories can be found in
/home
In addition to the actual directory content, the permissions on these folders have to be saved too.
You can save the permissions with the following command, after you saved the folders themselves:
getfacl -R /home >> /mnt/backup/home_acl_$(date +%Y%m%d)
GPOs
The GPOs are automatically saved in
/var/univention-backup/samba/
The responsible cronjob is located at /etc/cron.d/univention-samba4-backup
In addition to the automatically saved directory content, the permissions on these folders have to be saved too.
You can save the permissions with the following command, after the folders have been saved themselves:
getfacl -R /var/lib/samba/sysvol >> /mnt/backup/samba_sysvol_$(date +%Y%m%d)
Restore of the UCS Master
Please follow the following steps one by one. It is essential that each of the steps is completed before the next one is taken. For the purpose of this guide we will assume, that all files are found under the prefix /mnt/backup with their original path following, as explained above.
Install the new server
Please install the new server under the same name and IP as the old one. Please use the same major, minor and patch-level as before.
Restoring the configuration
The servers configuration is stored in UCR variables. The value of these variables has to be restored to ensure that the server is running with the same settings as before. Start by unpacking the last saved revision of your variables from /var/univention-backup into the current folder.
tar zxvf /mnt/backup/var/univention-backup/ucr-backup_<DATE>.tgz
You can overwrite the current configuration files with the resulting files
cp ./bas* /etc/univention/
ucr commit
Restore of the software installation
The following commands will restore the software revision, which was previously installed on the server.
This will also reinstall the apps previously installed via the Univention App Center.
for app in $(cat /mnt/backup/selection_univention_<DATE>.txt); do if [ "$(ucr get appcenter/apps/$app/status)" == "installed" ]; \
then univention-app register --undo-it $app; fi; univention-app install $app; done
dpkg --set-selections < /mnt/backup/selection_dpkg_<DATE>.txt
univention-install $(awk '/\tinstall/ {print $1}' /mnt/backup/selection_dpkg_<DATE>.txt)
LDAP & Samba Restore
Before restoring the LDAP, please stop all LDAP and Samba related services with the following commands:
service slapd stop
service univention-directory-listener stop
service univention-directory-notifier stop
service univention-s4-connector stop
service samba stop
If you use an Samba Active Directory it is essential to let Samba allocate the User SID while importing. To do so you have to set the Univention registry variable “sid_to_s4” to true by the following command:
ucr set --force connector/s4/mapping/sid_to_s4=‘true‘
Now delete the old LDAP and restore the configuration files from UCR
rm -r /var/lib/univention-ldap/ldap/*
ucr commit /var/lib/univention-ldap/ldap/DB_CONFIG
To have a usable LDAP after the restore, you will need to copy the following files back out of the backup onto the server, replacing any existing files:
/etc/backup-join.secret
/etc/idp-ldap-user.secret
/etc/ldap-backup.secret
/etc/ldap.secret
/etc/libnss-ldap.secret
/etc/listfilter.secret
/etc/machine.secret
/etc/pam_ldap.secret
/etc/slave-join.secret
Unpack and import the latest LDAP backup:
gzip -d /mnt/backup/var/univention-backup/ldap-backup_<DATE>.ldif.gz
slapadd -l /mnt/backup/var/univention-backup/ldap-backup_<DATE>.ldif
service slapd start
Empty the cache of the Univention Directory Listener:
rm -r /var/lib/univention-directory-listener/*
If you are using an older backup, you might have to reset the password of the UCS Master machine account with the following command:
udm computers/domaincontroller_master modify \
--binddn uid=Administrator,cn=users,$(ucr get ldap/base) \
--bindpwd <Administrator Passwort> \
--dn $(ucr get ldap/hostdn) \
--set password=$(cat /etc/machine.secret)
Lastly, we have to reinitialize Samba/AD. You will have to edit the file
/usr/lib/univention-install/.index.txt
with your preferred editor and remove any line starting with any of the following. Please note, that entries can occur more than once, but not all entries have to be present:
univention-samba4
libunivention-ldb-modules
univention-s4-connector
univention-samba4-dns
Now, the directory listener and notifier can be restarted:
service univention-directory-notifier start
service univention-directory-listener start
Now go to the Univention Management Console. In the computer menu, select the UCS Master. Then go to “Advanced Settings” tab. In the service, section remove the entries for “Samba 4” and “S4 Connector” and save the changes.
Execute the outstanding join scripts and commit all ucr files to restore Samba/AD and all changes done by LDAP policies
univention-run-join-scripts
ucr commit
After that, you must rebuild the UMC portal page. Otherwise you have double portal page entries.
cp /usr/share/univention-portal/portal-unjoined.json /usr/share/univention-portal/portal.json
univention-directory-listener-ctrl resync portal
univention-directory-listener-ctrl resync portal_entry
univention-directory-listener-ctrl resync portal_category
Now you can safely unset the Samba 4 SID variable:
ucr unset --force connector/s4/mapping/sid_to_s4
Lastly, reboot the system.
GPOs
Unpack the backup with the following command:
tar xvfj /mnt/backup/var/univention-backup/samba/sysvol.<DATE>.tar.bz2
This will result in a new directory named sysvol in the current folder, which has to be copied into the samba directory
cp -r ./sysvol /var/lib/samba/
Restore the GPO ACLs with the following command:
cd / && setfacl --restore /mnt/backup/samba_sysvol_<DATE>
User Home
Copy the user homes from your backup to /home.
Restore the ACLs with the following command:
cd / && setfacl --restore /mnt/backup/home_acl_<DATE>
Known Issues with UCS 4.4
The restore of the Portal in UCS 4.4 needs different steps, see Backing up UCS 4.4, everything working except portal edition: invalid DN syntax, urgent! - #6 by vibus087.