Cool Solution - Single Server Backup and Restore

From Univention Wiki

Jump to: navigation, search
Produktlogo UCS Version 3.2

Note: Cool Solutions are articles documenting additional functionality based on Univention products. Not all of the shown steps in the article are covered by Univention Support. For questions about your support coverage contact your contact person at Univention before you want to implement one of the shown steps.

Also regard the legal notes at Terms of Service.


The in build domain structure of UCS allows the setup of Systems with the roll Domain-controller Backup to take over the function of the Master. However two hardware server are needed to utilies this functions. The following guide will therefore describe, how to save and restore OpenLDAP, Samba 4 and the users home directories of a single server environment.

Warning: Do NOT utilize this guide if you have more then one UCS server in your domain
Note: This guide only looks at OpenLDAP, Samba 4 and the users home directories. Additional shares, functions and services from the AppCenter have to be saved in addition to this guide.

Note: For the purpose of this guide, we will assume, that there are no changes to the system, other then those made by UCR and through installed packages

Files to Backup

To later restore the system a number of files have to backed up and restored. We differentiate these files by there purpose.

/var/univention-backup

The directory

 /var/univention-backup 

contains the LDAP backup as well as the backups for Samba and the Univention Config Registry. It is therefore essential that the whole folder is backed up.

Machine Passwords

In addition to the LDAP a number of Passwords used to manage the server are needed. These can be found in

/etc/

and are only readable by root. Please save the following password files:

/etc/ldap.secret
/etc/machine.secret
/etc/slave-join.secret
/etc/ldap-backup.secret
/etc/libnss-ldap.secret
/etc/backup-join.secret
/etc/pam_ldap.secret

Software Revision

To save the package revision for a later restore, run the following command

dpkg --get-selections '*' > /var/univention-backup/selection_$(date +%Y%m%d).txt

User Home Directories

By default the user home and profile directories can be found in

/home

. In addition to the actual directories the permission on these folders have to be saved. To backup the permissions issue the following command an save the resulting file

getfacl -R /home >> /var/univention-backup/home_acl_$(date +%Y%m%d)

Restore of the UCS-Master

Please follow the following steps one by one. It is essential that each of the steps is completed before the next one is taken. For the purpose of this guide we will assume, that all files are found under the prefix /mnt/backup with their original path following. /home/Administrator/file.txt would thus turn into the backup /mnt/backup/home/Administrator/file.txt

Install the new server

Please install the new server under the same name and IP as the old one. Please use the same major, minor and pach-level as before.

Restore of the software installation

Once the server is installed the installation base has to be redone. The following commands can restore the software revision that was previously installed on the server

dpkg --set-selections < /mnt/backup/var/univention-backup/selection_20141013.txt
aptitude install
apt-get -u dselect-upgrade
univention-upgrade

Restoring the configuration

The servers configuration is stored in UCR Variables. The Value of these variables has to be restored to ensure that the server is running with the same settings as beforehand. Start by unpacking the last saved revision of your variables from /var/univention-backup for this guide it is the version from 2014-10-13

tar zxvf /mnt/backup/var/univention-backup/ucr-backup_20141013.tgz

The resulting files have to be changed from a mere listing into a series of commands to reset the variables. Issue the following commands to adapt the files

sed -e "s/: /='/g;s/$/'/;1,2d;s/^/ucr set /" -i base.conf
sed -e "s/: /='/g;s/$/'/;1,2d;s/^/ucr set --force /" -i base-forced.conf

Lastly use the following commands to reset the variables to the old values:

/bin/bash base.conf
/bin/bash base-forced.conf

Reboot the server before continuing

LDAP & Samba Restore

Before restoring the LDAP please stop all LDAP and Samba related services with the following commands

/etc/init.d/slapd stop
/etc/init.d/univention-directory-listener stop
/etc/init.d/univention-directory-notifier stop
/etc/init.d/univention-s4-connector stop
/etc/init.d/samba4 stop

Now delete the old LDAP and restore the configuration files from UCR

rm -r /var/lib/univention-ldap/ldap/*
ucr commit /var/lib/univention-ldap/ldap/DB_CONFIG

To have a usable LDAP after the restore you will now need to copy the following files back out of the backup onto the server. Replacing any existing files:

/etc/ldap.secret
/etc/machine.secret
/etc/slave-join.secret
/etc/ldap-backup.secret
/etc/libnss-ldap.secret
/etc/backup-join.secret
/etc/pam_ldap.secret

Unpack and import the latest LDAP backup:

gzip -d /mnt/backup/var/univention-backup/ldap-backup_20141013.ldif.gz
slapadd -l /mnt/backup/var/univention-backup/ldap-backup_20141013.ldif
/etc/init.d/slapd start

Empty the cache of the Univention Directory Listener:

rm -rf /var/lib/univention-directory-listener
mkdir -p /var/lib/univention-directory-listener/
chown listener: /var/lib/univention-directory-listener/

If you are using an older backup you might have to reset the password of the administrator with the following command

udm computers/domaincontroller_master modify --binddn uid=Administrator,cn=users,$(ucr get ldap/base) --bindpwd <Administrator Passwort> --dn $(ucr get ldap/hostdn) --set password=$(cat /etc/machine.secret )

Lastly we have to reinitialize Samba 4. You will have to edit the file

/usr/lib/univention-install/.index.txt 

with your preferred editor and remove any line staring with any of the following, please note that entries can occur more then once but not all entries have to be present:

univention-samba4
libunivention-ldb-modules
univention-s4-connector
univention-samba4-dns

Now listener and notifier can be restarted:

/etc/init.d/univention-directory-notifier start
/etc/init.d/univention-directory-listener start

Now go to the Univention Management Console. In the computer menu select the DC Master. Here go to "Advanced Settings" tab. In the service section remove the entries for "Samba 4" and the "S4 Connector" and save the changes.

Excecute the outstanding join scripts and commit all ucr files to restore Samba 4 and all changes done by LDAP policies

univention-run-join-sripts
ucr commit

Lastly reboot the system

GPOs

The GPOs are automatically saved in

 /var/univention-backup/samba/ 

Unpack them with the following command

tar xvfj /mnt/backup/var/univention-backup/samba/sysvol.2014-10-13.tar.bz2

This will result in a new directory named sysvol, which has to be copied into the samba directory

cp -r /mnt/backup/var/univention-backup/samba/sysvol /var/lib/samba/

User Home

Copy the user homes from your backup to /home.

Restore the ACLs with the following command:

cd / && setfacl --restore /mnt/backup/var/univention-backup/home_acl_20141013
Personal tools