Migrate Napp-It from old server to new (complete rehaul)

g0dM@n

New Member
Feb 12, 2022
24
0
1
Hi there! New to the forums, but was part of a lot of the reading in the early whitebox days long ago. I thought I had a login, but apparently not. Looking for some advice here.

Old setup:
AMD FX8 8320, 32gb ecc ddr3 unbuffered
ESXi 5.5 with tons of passthrough
IBM 1015 IT flashed
6x 3TB Seagate Constellation RaidZ2
Dedicated SSD for napp-it VM, no longer mirrored as my Raidsonic died and I can't find them anymore!
Napp-It v18.01 all in one virtual machine
Mostly SMB shares in windows

I basically created several user accounts and have them mapped to windows accounts. I have one main user on the root share that I do most of my NTFS permissions from. Long ago, my ZFS VM bit the dust, so I had to deploy a new... it saw all of my disks, but I had to recreate the user accounts and its mappings. The one problem I had was mismatched mappings, but I figured that out later (was weird, User3 had access to User2's shares and vice versa).

New setup:
Dell R720, dual xeons, 96gb ecc registered ddr3
ESXi 6.7u3 so far with its H310 mini flashed to IT and passed through
6x 10TB Ironwolf Raidz2
Napp-It v18.12w5 all in one virtual machine (just installed the latest recently)
Looking to migrate over the same setup, may use the napp-it mirroring option within the GUI

I was going to manually create all users and mappings, use robocopy from old SMB root share to new SMB root share, but I'm seeing that this newer version of Napp-IT has the guest user locked in on user-id 101. That was my main admin account for windows SMB shares on my old setup.

Any suggestions how to do this as efficiently as possible? I do have an old 8-bay proraid enclosure that can do eSata and USB 3.0. Not sure if it makes sense to pull all disks from one server and somehow get it hooked up all to one server.

Goal:
- Figure out how to get my mappings to match up, mostly worried about the new guest account overtaking my old permissions for my admin account
- Migrate all data
- (Less important at this moment, for later) Once the above is all complete, what's the best way to mount this share to a linux (Ubuntu desktop) VM for Plex, but also have Windows smb see the same repo for if/when I want to use a different player to watch the movies.
 

gea

Well-Known Member
Dec 31, 2010
2,817
975
113
DE
There are several ways to migrate

1. Easiest with an AiO setup when old and new system is up

1.1 Replicate all filesystems to the new server ex
oldpool/filesystem1 -> newpool = newpool/filesystem1
oldpool/filesystem2 -> newpool = newpool/filesystem2
..
For napp-it free use an evalkey from napp-it // webbased ZFS NAS/SAN appliance for OmniOS, OpenIndiana and Solaris : Extensions and add the key to the new server. On the new server: Add the old server under Extension > Appliance group and create a replication job to copy the filesystems over via network.

1.2 Move VM
Oldserver: power down, remove passthrough devices and dvd and export the vm (as a template)
Newserver: Import template, add passthrough device

that is all as system remains the same

---------------------------------------------------------------------------------------------------

2. Disaster recovery method (works also on a barebone setup)

2.1 Replicate your current bootenvironment to your datapool (current napp-it supports BE as source)
2.2 Do a minimal setup of OmniOS + napp-it wget and replicate the bootenvironment back
2.3 Activate this bootenvironmant and reboot

that is all as system remains the same

---------------------------------------------------------------------------------------------------

3. New setup
3.1 Backup /var/web-gui/_log/* (napp-it settings)
3.2 Write down all users with their uid/gid (not needed in an AD setup)
3.3 Do a minimal setup of OmniOS + napp-it wget
3.4 Restore content of /var/web-gui/_log/* (napp-it settings)
3.5 Recreate users with former uid/gid (not needed in an AD setup)

---------------------------------------------------------------------------------------------------

about mapping
As you use the Solarish SMB server that supports Windows SID as reference for ACL you do not need any mappings Unix UID <-> Windows SID. You may need them only in an AD environment when you additionally need a mapping ex AD user <-> local Unix user for NFS. Without AD mappings even produce problems when you map local OmniOS users to other local OmniOS users.

In a workgroup setup, you only need to recreate users with same uid/gid to keep permissions intact. In an AD setup you only need to rejoin the new server. This is why even on a restore of a filesystem you do not see permission problems on Solarish due a missing mapping (SAMBA behaves different to Solarish SMB). Regarding this, I would call the Solaris SMB server superiour because of Windows SID support and the use of Windows ntfs alike ACL instead the simpler Posix ACL you mostly use with SAMBA.

btw
Update to current OmniOS 151038 long term stable or 151040 stable and napp-it 21.06 free with newest features and bugfixes.

 
Last edited:

g0dM@n

New Member
Feb 12, 2022
24
0
1
Thank you gea! Been a long time since we've seen one another. 1.1 option sounds most practicle. #2 may be out of my reach as I don't understand the BE or how to work it into the datapool. #3 worries me as the UID on the new Napp-It setup is using ID 101 for guest, and that's my main account for NTFS permission management on the old setup. I'm still confused with how to get around that mapping problem.

I currently use a domain controller at home or all of my users. I'm still most worried about the mappings. Say I get option 1.1 to replicate the filesystem from old napp-it to new napp-it, how do I then ensure my mappings and or permissions will be ok?

*EDIT*
Already started the replication for now! Thanks.
 
Last edited:

g0dM@n

New Member
Feb 12, 2022
24
0
1
Below you can see my first user (it is not Guest and it is my actual name) is userid 101.
On the new napp-it server, the built-in unix account "guest" is using userid 101. This is going to complicate my permissions, right?

I've had an issue in the past where I had to rebuild my napp-it VM. I attached my disks, but when I recreated all of my users, their shares were all over the place because the mappings were not the same as the old setup. I'm afraid I'm going to have the same issue again, but even worse my main admin for my NTFS permissions is userid 101.

User-mapping.png
 

gea

Well-Known Member
Dec 31, 2010
2,817
975
113
DE
Mappings
Mappings are a system related item ex
AD user Tom@domain = Unix user Paul

If you restore the same system (VM restore or disaster recovery via BE) mappings stay intact.
On a new system you can use the idmap command to set mappings, Creating Your Identity Mapping Strategy - Managing SMB File Sharing and Windows Interoperability in Oracle® Solaris 11.4

With an AD Domain you do not need any mappings for SMB to work. Only the mapping winuser:you@domain=Unix:root is helpful as it gives you full permissions.

ACL
The Solarish SMB server use Windows SID as reference. They are stored as extended ZFS attributes. No need for any mappings in an AD environment as they are known whenever you join OmniOS to your AD.

On conflicts with users and uids, delete user ex a staff member and recreate with a different uid ex 112. If you need to preserve permissions for this user, delete guest and recreate with uid 112 (next uid). For local users, Windows SID is generated from uid. For AD users the Solarish SMB server uses the original AD Windows SID.

When you SMB connect in an AD environment you can either login as a local OmniOS user or an AD user. You can also set permissions based on AD accounts or local accounts. Solarish (unlike SAMBA) allows even Windows compatible SMB groups where groups contain groups what is not possible with Unix groups, Managing SMB Groups (Task Map) - Oracle Solaris Administration: SMB and Windows Interoperability

Bootenvironment
A bootenvironment (BE) is a bootable snap of your rpool. On every update (napp-it or OS) a new BE is created. During bootup you can select one of your BEs so booting into a former OS state is possible. You can replicate such a BE (=current state of OS) for backup or restore for disaster recovery, Introduction to Managing Boot Environments - Creating and Administering Oracle Solaris 11 Boot Environments

btw
it seems that you have deployed a downloaded napp-it template for your new server. You should export the already configured old server as a template and deploy this on the new one to preserve all settings.
 
Last edited:

g0dM@n

New Member
Feb 12, 2022
24
0
1
Thank you for the info, buddy.
So I'll try this:
- Allow repl to finish
- Shutdown new Napp-it VM and remove raid card passthrough
- Export old Napp-it VM and migrate to new server, attached raid card passthrough
- Fire up old Napp-it VM on new server, import disks and I assume that should take care of all?

Optionally, and where I was going initially with this was how do I change the UID of that guest account. That was the only issue I saw on the new napp-it AIO. That 101 UID is my admin/root account for my SMB that maps to my domain admin in AD. I did not see a way to delete or adjust the guest account.

P.S. And now that you mention a new BE with each update, I do recall having to work magic there years ago where one BE was dead. Thanks!
 

gea

Well-Known Member
Dec 31, 2010
2,817
975
113
DE
Thank you for the info, buddy.
So I'll try this:
- Allow repl to finish
- Shutdown new Napp-it VM and remove raid card passthrough
- Export old Napp-it VM and migrate to new server, attached raid card passthrough
- Fire up old Napp-it VM on new server, import disks and I assume that should take care of all?

Optionally, and where I was going initially with this was how do I change the UID of that guest account. That was the only issue I saw on the new napp-it AIO. That 101 UID is my admin/root account for my SMB that maps to my domain admin in AD. I did not see a way to delete or adjust the guest account.

P.S. And now that you mention a new BE with each update, I do recall having to work magic there years ago where one BE was dead. Thanks!
 

gea

Well-Known Member
Dec 31, 2010
2,817
975
113
DE
Thank you for the info, buddy.
So I'll try this:
- Allow repl to finish
- Shutdown new Napp-it VM and remove raid card passthrough
- Export old Napp-it VM and migrate to new server, attached raid card passthrough
- Fire up old Napp-it VM on new server, import disks and I assume that should take care of all?

Optionally, and where I was going initially with this was how do I change the UID of that guest account. That was the only issue I saw on the new napp-it AIO. That 101 UID is my admin/root account for my SMB that maps to my domain admin in AD. I did not see a way to delete or adjust the guest account.

P.S. And now that you mention a new BE with each update, I do recall having to work magic there years ago where one BE was dead. Thanks!
An AD mapping ex winuser: paul=unixuser:root is independent from uid. Uid is only relevant for ACL that are set for the local user with uid 101.

To change guest uid, delete and recreate guest with a different uid.
 

g0dM@n

New Member
Feb 12, 2022
24
0
1
An AD mapping ex winuser: paul=unixuser:root is independent from uid. Uid is only relevant for ACL that are set for the local user with uid 101.

To change guest uid, delete and recreate guest with a different uid.
Instead of messing with this, I tried your other method of reusing the old napp-it setup. I used vmware converter to move the original napp-it VM to the new system. I removed the HBA passthrough from the new napp-it (destination replication) and added it to the original/old napp-it VM. Fired it up on the new server. It lost the old pools, but as expected as that's on the old server I migrated away from (something to clean up later).
I went to import, it sees my new pool, but it's giving me this error now:

Could not proceed due to an error. Please try again later or ask your sysadmin.
Maybe a reboot after power-off may help.

167
cannot import 'GKS3z2' as 'GKS3z2': unsupported version or feature
This pool uses the following feature(s) not supported by this system:
org.zfsonlinux:userobj_accounting (User/Group object accounting.)
com.delphix:spacemap_v2 (Space maps representing large segments are more efficient.)
org.zfsonlinux:project_quota (space/object accounting based on project ID.)
com.delphix:log_spacemap (Log metaslab changes on a single spacemap and flush them periodically.)
All unsupported features are only required for writing to the pool.
The pool can be imported using '-o readonly=on'.


I guess I need to upgrade this original/old Napp-It VM?

I ran "cat /etc/release" and see this:
OmniOS v11 r151024j
Following the guide here, I tried this as my first command and it doesn't like the commands:
pkg set-publisher -r -O OmniOS r151030 core omnios

-r and -O aren't listed in as appropriate switches. I am a total noob in this environment.

I then said let me try napp-it about > update. I think I had an issue with name resolution so I added new DNS into /etc/resolve.conf and then retried and I could see new version downloads from the napp-it GUI. I tried both 18.12 and 21.06 -- then tried the pool import and it still gave me the error above. I even tried shutting down and powering back up. I'm still on r151024... not sure if that's part of it, but for some reason the omnios upgrade guide isn't working for me:
 

g0dM@n

New Member
Feb 12, 2022
24
0
1
I checked and name resolution works...
root@Napp-It:~# nslookup pkg.omniosce.org
Server: 192.168.69.200
Address: 192.168.69.200#53

Non-authoritative answer:
pkg.omniosce.org canonical name = www.omniosce.org.
Name: www.omniosce.org
Address: 129.132.2.8


I've tried pkg update (which finds nothing) and then reboot.
I then try the rest of the commands from the napp-it manual, only this time I'm trying to get to 151026 since that's what the napp-it manual calls for (instead of following omnios instructions), so I run these commands below and you can see the output:

root@Napp-It:~#
root@Napp-It:~# pkg unset-publisher omnios
Updating package cache 1/1

pkg unset-publisher: Removal failed for 'omnios': Unknown publisher 'omnios'.

root@Napp-It:~# pkg set-publisher -g OmniOS r151026 core omnios
pkg set-publisher: The origin URIs for 'omnios' do not appear to point to a valid pkg repository.
Please verify the repository's location and the client's network configuration.
Additional details:

Unable to contact valid package repository
Encountered the following error(s):
Unable to contact any configured publishers.
This is likely a network configuration problem.
Framework error: code: E_SSL_CACERT (60) reason: SSL certificate problem: certificate has expired
URL: 'OmniOS r151026 core'


------------------------------------


Either way, my problem is still that my original napp-it server won't import the new (replicated) pool. I'm trying to upgrade OmniOS and Napp-It in hopes of new kernels/features allowing it to work
 

gea

Well-Known Member
Dec 31, 2010
2,817
975
113
DE
If you are currently on 151024, the update path would be a three step path,
r151026, r151028 (stable), r151030 (LTS)

151026 repo, OmniOS r151026 core
Certificate expires Tuesday, May 10, 2022
check your date settings and if you use the correct repository ex
(OmniOS changed main url recently from omniosce.org to omnios.org, maybe you use an old url)

Pool import
is only possible when all ZFS features are supported
A pool move old OS-> newer OS is ok

in general
Update from a very old 151024 to 040 is not what I would do as this is a multi step process with some problems ro consider like the SSH and compiler switches between. I would install 038 lts or 040 stable directly, import the pool and optionally delete/recreate users if other uid settings are wanted.
 

g0dM@n

New Member
Feb 12, 2022
24
0
1
If you are currently on 151024, the update path would be a three step path,
r151026, r151028 (stable), r151030 (LTS)

151026 repo, OmniOS r151026 core
Certificate expires Tuesday, May 10, 2022
check your date settings and if you use the correct repository ex
(OmniOS changed main url recently from omniosce.org to omnios.org, maybe you use an old url)

Pool import
is only possible when all ZFS features are supported
A pool move old OS-> newer OS is ok

in general
Update from a very old 151024 to 040 is not what I would do as this is a multi step process with some problems ro consider like the SSH and compiler switches between. I would install 038 lts or 040 stable directly, import the pool and optionally delete/recreate users if other uid settings are wanted.
Yes, sir -- that's exactly what I want to do is step up appropriately, but it refuses.

I just logged in with SSH and it says Mon Feb 14th, time is off by a few hours, but for now that shouldn't affect certificate expiration.
I'll give you my exact output proving I shouldn't have an issue (from all the things I've gathered) and how it's not working. See below (thank you so much btw), I did random pings out to the internet and a site to prove DNS and routing works:


root@Napp-It:~#
root@Napp-It:~# date
Mon Feb 14 17:53:50 CET 2022
root@Napp-It:~# cat /etc/release
OmniOS v11 r151024j
Copyright 2017 OmniTI Computer Consulting, Inc. All rights reserved.
Copyright 2018 OmniOS Community Edition (OmniOSce) Association.
All rights reserved. Use is subject to license terms.
root@Napp-It:~# ping 8.8.8.8
8.8.8.8 is alive
root@Napp-It:~# ping www.yahoo.com
www.yahoo.com
is alive
root@Napp-It:~# pkg update
No updates available for this image.
root@Napp-It:~#
root@Napp-It:~#
root@Napp-It:~#
root@Napp-It:~# pkg unset-publisher omnios
Updating package cache 1/1

pkg unset-publisher: Removal failed for 'omnios': Unknown publisher 'omnios'.

root@Napp-It:~# pkg set-publisher -g OmniOS r151026 core omnios
pkg set-publisher: The origin URIs for 'omnios' do not appear to point to a valid pkg repository.
Please verify the repository's location and the client's network configuration.
Additional details:

Unable to contact valid package repository
Encountered the following error(s):
Unable to contact any configured publishers.
This is likely a network configuration problem.
Framework error: code: E_SSL_CACERT (60) reason: SSL certificate problem: certificate has expired
URL: 'OmniOS r151026 core'

root@Napp-It:~#



It says "omnios" is an unknown publisher. Should I be putting something else after the URI?
 

gea

Well-Known Member
Dec 31, 2010
2,817
975
113
DE
Check

pkg set-publisher -g https://pkg.omniosce.org/r151026/core omnios (old url)

or
pkg set-publisher -g OmniOS r151026 core omnios (current url)

The first may explain the validation error when used as repository. If you go directly via browser to the old url you will be forwarded to current url

btw
I have just tried the omniosce url and was able to unset/set publisher omnios
Is date and year setting correct (command date)?
 

g0dM@n

New Member
Feb 12, 2022
24
0
1
I’m definitely doing it correctly. I tried both ways. I’ve been googling and reading so many forums and cannot figure it out. :(

My post above is exactly from the shell. The forum here is automatically hyperlinking it, but I assure you I’ve done it correctly.

If I could only upgrade my original server…
Or is there a way to export the entire config and then import into a whole new Napp-It server that’s up to date?

As my final last resort…
Could you share the command to remove the guest account or change its UID?

You’ve been quite helpful. If you ever need any help with VMware, Veeam, Dell storage or server products, Dell networking, sonicwall firewalls. Hit me up. I owe you.
 

g0dM@n

New Member
Feb 12, 2022
24
0
1
Sick of the issue above, so I built a new napp-it from scratch, no AIO. Installed OmniOS r151038 and ran the napp-it install from there.
I imported my original pool and see all data and disks, but I am having the issue I tried so hard to not have to deal with... that damn guest account is using the UID that I need for my main account. I can't figure out how to delete it. The GUI doesn't allow it and userdel -r username is not working.

My main account is now taking over my son's NTFS permissions. I've had this happen before when I had to recover and redid all UID to resolve it. The problem is the new napp-it versions have this guest account locked to UID 101. See below.

root@napp-it:~# userdel -r guest
UX: userdel: ERROR: Unable to find status about home directory: No such file or directory.

1644970954080.png


You can see that Garo now has Giovanni's UID, so I only have access to directories/files that he had access to. So it's as if my "Garo" windows domain account is mapped to all permissions Giovanni used to have.

If I could delete the darn guest account, I could set Garo to UID 101 and fix the problem.

If you check the root directory of my shares, the guest account is what has full access, ugh!

1644971113024.png
 

gea

Well-Known Member
Dec 31, 2010
2,817
975
113
DE
Just enter "userdel guest" at console or the napp-it cmd field to delete guest
(do not use -r as there is no home directory assigned)

Then recreate guest with any uid
Current default for new users in OmniOS is uid >60000 so your problem with guest and the low uid 101 is due the old OmniOS where the first new user got 101 and this was guest
 
Last edited:

g0dM@n

New Member
Feb 12, 2022
24
0
1
I finally figured out the permissions issue and got my shares back online!!

When I first built napp-it I didn't have a windows domain, so I created accounts in napp-it, made matching local accounts in windows (username and password match perfectly, yes cases must match as ZFS required that -- I learned the hard way).

On this new/current setup, I was going through the new napp-it GUI and saw I could join an AD domain (which @gea you also mentioned), and since I have a domain currently set up I added it. Slowly but surely I realized I didn't need any local Unix accounts after all! You told me I can just map an AD account to local root, such as a domain admin, and then work on NTFS from there. I spent about an hour and a half going through all of my shares and cleaning up the broken SIDs from the old setup, even removing the damn guest napp-it account, and now every NTFS user shows up as my domain user accounts. Created security groups for shares and threw those on some, and then added users into those groups.
It's all clean now.
My issue was unique I think -- where my main AD account was matching a unix account name for everything, and that's how I originally had root access to my share. That unix account was UID 101. In the new Napp-It, the guest account defaults to that UID like you said, so I couldn't manually set the UID when I went to recreate my users on this new setup.

This was all bittersweet. I'm glad I went through this because now I know none of the user management in napp-it was necessary and my shares are all cleaned up.

But -- this didn't come easy. When I added the pool to the new ZFS server, I could only get read access to my share. I tried .\root and password, even tried ipaddress\root to log into the share and it would NOT take! When I mapped my domain ad account to root in napp-it, that didn't help either, until I tried from my domain controller.
Basically, I couldn't do anything on the share with "root" or with my domain user (even after i mapped it to root) -- this all from a Windows 10 desktop.
But, when I went to my domain controller as the domain admin, I was able to get in -- this is where I cleaned everything up from. Once NTFS was all cleaned up, everything started working as planned. The windows 10 desktop seemed to be going in as read-only likely b/c it was going in as that damn guest account UID 101 and all that confusion.

This was a real pain to conquer. A lot of late nights and loss of sleep... but this was one of the few times I didn't blow my top. I was learning more of the CLI going through this exercise. Thanks for sticking it out with me, Gea!

Now I have to set up my napp-it config on everything else since this is a new setup.

Remaining items:
- snapshot schedule
- scrub monthly
- SMTP (this by the way i could never get to work on the old setup)
- Dedupe -- I wonder if I should be trying this out. I've got 6x10tb in raidz2 and assigned 32GB of RAM to this VM. I could up the RAM a bit more, even install more RAM in the server if it's worth it. Instructions say 5gb ram per TB... that sounds like 300gb ram! (60tb disk at 5gb per TB).
 

gea

Well-Known Member
Dec 31, 2010
2,817
975
113
DE
Remaining items:
- snapshot schedule

Create several jobs ex one every 15 min for last hour, one per hour for current day etc

- scrub monthly

- SMTP (this by the way i could never get to work on the old setup)

- Dedupe -- I wonder if I should be trying this out. I've got 6x10tb in raidz2 and assigned 32GB of RAM to this VM. I could up the RAM a bit more, even install more RAM in the server if it's worth it. Instructions say 5gb ram per TB... that sounds like 300gb ram! (60tb disk at 5gb per TB).
-scrub
ok

- SMTP

mostly you need tls encrpted mail ex for google
- enable TLS (OS level), napp-it // webbased ZFS NAS/SAN appliance for OmniOS, OpenIndiana and Solaris : Downloads
- allow unsercure apps (Google)

- dedup
you need up to 5 GB not for poolsize but deduped data.

Main problem: you want to use RAM for caching (performance), not dedup
Option: use a special vdev mirror for dedup.

A would simply skip dedup and use a larger pool.
 

g0dM@n

New Member
Feb 12, 2022
24
0
1
Thanks for the info. I'll try SMTP when I get a chance. I'm migrating another pool via robocopy for various reasons. Combining two old ZFS pools into one larger one. I have plenty of space right now.

How do you have ZFS use RAM for caching? I can throw a ton of RAM at this guy if I wanted to. 60tb raw, 40tb in raidz2.

I also have nvme and ssd in this server, so trying to decide if I want a SLOG for ZIL.
 

gea

Well-Known Member
Dec 31, 2010
2,817
975
113
DE
Thanks for the info. I'll try SMTP when I get a chance. I'm migrating another pool via robocopy for various reasons. Combining two old ZFS pools into one larger one. I have plenty of space right now.

How do you have ZFS use RAM for caching? I can throw a ton of RAM at this guy if I wanted to. 60tb raw, 40tb in raidz2.

I also have nvme and ssd in this server, so trying to decide if I want a SLOG for ZIL.
Robocopy is fine as it can transfer Windows ntfs ACL (rsync cannot)

Ram is used for caching but caching is not filebased but based on ZFS datablocks in recsize on a read last/ read most optimazation. Perfect for random io for many users not so for media files

Beside databases or VM storage you do not want or need (mostly) sync write.