samba - Jun 2019 - Announcing "adam" - Active Directory Automated Maintenance tool

Hello all,

A recurring question is how to assign uidNumber and gidNumber
attributes to users and groups in Active Directory [1].  While it is
possible to avoid this by using e.g. the "rid" idmap backend, it is
sometimes desirable for Active Directory to be the single source of
truth for UID / GID numbers. This is especially true if not all of
your UNIX domain members can use the same mapping scheme (if you're
using SSSD, for example).

Microsoft used to facilitate the assignment of these attributes via
the Unix Attributes Plug-in for Active Directory Users and Computers
(ADUC). However, that has been removed, and users must assign these
themselves [2].

I'm certain a tool like this has been implemented by numerous
sysadmins in the past. However, I haven't found a freely-available
solution that behaves the way I want. So today I'm presenting ADAM
("Active Directory Automated Maintenance"):

https://gitlab.com/JonathonReinhart/adam

ADAM assigns UID/GID numbers sequentially from a user-defined range,
and stores the next-highest values in LDAP (thanks, Rowland!) I
received feedback from the Samba mailing list in the creation of this.
[3]

ADAM should work for either a Samba or Microsoft AD, and can run on
any Linux machine (even one that is not domain-joined).  I have plans
to add other automated background tasks to this tool in the future,
which you will find in the issue tracker.

I hope this saves time for others in the same boat as me, and look
forward to your feedback. If you have any problems, please open an
issue on the GitLab issue tracker.

Cheers,

Jonathon Reinhart


[1]:
https://serverfault.com/questions/484908/ad-plugin-or-utility-that-generates-unique-uidnumber-gidnumber-on-creation
[2]:
https://blogs.technet.microsoft.com/activedirectoryua/2016/02/09/identity-management-for-unix-idmu-is-deprecated-in-windows-server/
[3]: https://lists.samba.org/archive/samba/2019-June/223497.html