Jonathon Reinhart
2019-Jun-23 17:13 UTC
[Samba] Announcing "adam" - Active Directory Automated Maintenance tool
Hello all, A recurring question is how to assign uidNumber and gidNumber attributes to users and groups in Active Directory [1]. While it is possible to avoid this by using e.g. the "rid" idmap backend, it is sometimes desirable for Active Directory to be the single source of truth for UID / GID numbers. This is especially true if not all of your UNIX domain members can use the same mapping scheme (if you're using SSSD, for example). Microsoft used to facilitate the assignment of these attributes via the Unix Attributes Plug-in for Active Directory Users and Computers (ADUC). However, that has been removed, and users must assign these themselves [2]. I'm certain a tool like this has been implemented by numerous sysadmins in the past. However, I haven't found a freely-available solution that behaves the way I want. So today I'm presenting ADAM ("Active Directory Automated Maintenance"): https://gitlab.com/JonathonReinhart/adam ADAM assigns UID/GID numbers sequentially from a user-defined range, and stores the next-highest values in LDAP (thanks, Rowland!) I received feedback from the Samba mailing list in the creation of this. [3] ADAM should work for either a Samba or Microsoft AD, and can run on any Linux machine (even one that is not domain-joined). I have plans to add other automated background tasks to this tool in the future, which you will find in the issue tracker. I hope this saves time for others in the same boat as me, and look forward to your feedback. If you have any problems, please open an issue on the GitLab issue tracker. Cheers, Jonathon Reinhart [1]: https://serverfault.com/questions/484908/ad-plugin-or-utility-that-generates-unique-uidnumber-gidnumber-on-creation [2]: https://blogs.technet.microsoft.com/activedirectoryua/2016/02/09/identity-management-for-unix-idmu-is-deprecated-in-windows-server/ [3]: https://lists.samba.org/archive/samba/2019-June/223497.html