This document describes a Samba 4 AD domain controller installation.

Do a minimal installation of CentOS 7. I am using a VM in this example.

yum install open-vm-tools

useradd -g users -c "Herwarth Heitmann" -m -d /home/herwarth herwarth
passwd herwarth

/etc/ssh/sshd_config

PermitRootLogin no

systemctl restart sshd
systemctl disable kdump

/etc/sudoers.d/users

herwarth ALL=(ALL) ALL

Set the FQDN in /etc/hostname. Set the FQDN with IP in /etc/hosts

yum install chrony

/etc/chrony.conf

server 10.108.108.5 iburst

systemctl enable chronyd
systemctl restart chronyd

I know it is crap but we need to disable SElinux… Perhaps I am going to write my own policy later…

/etc/sysconfig/selinux

SELINUX=disabled

We have to use thrid-party rpm's because the default packages do not support Samba with AD domain controller functionality due to a Kerberos issue.

We need to create an account at sernet.de and add our user credentials in the repo file.

/etc/yum.repos.d/sernet-samba-4.1.repo

[sernet-samba-4.1]
name=SerNet Samba 4.1 Packages (rhel-7)
type=rpm-md
baseurl=https://<USERNAME>:<PASSWORD>@download.sernet.de/packages/samba/4.1/rhel/7/
gpgcheck=1
gpgkey=https://<USERNAME>:<PASSWORD>@download.sernet.de/packages/samba/4.1/rhel/7/repodata/repomd.xml.key
enabled=1

yum install sernet-samba-ad  sernet-samba

samba-tool domain provision --use-rfc2307 --interactive
ln -s /var/lib/samba/private/krb5.conf /etc/krb5.conf

/etc/default/sernet-samba

.
.
SAMBA_START_MODE="ad"
.
.

chkconfig sernet-samba-nmbd off
chkconfig sernet-samba-smbd off
chkconfig sernet-samba-winbindd off

samba-tool domain level raise --domain-level 2008_R2 --forest-level 2008_R2
samba-tool domain level show

Disable password complexity

samba-tool domain passwordsettings set --complexity=off
samba-tool domain passwordsettings set --history-length=0
samba-tool domain passwordsettings set --min-pwd-age=0
samba-tool domain passwordsettings set --max-pwd-age=0
samba-tool domain passwordsettings set --min-pwd-length=0

/etc/samba/smb.conf

[users]
        path = /mnt/storage/users
        comment = user folders for redirection
        read only = No

• Log on to a Windows 7/8 client computer as a domain administrator that has been bound to the domain.
• Using Windows Explorer, use a fully qualified UNC path like this: \\samba.mydomain.com\
• You should see the following folders:

netlogon
sysvol
users

Do not delete 'netlogon' or 'sysvol' as they are required for your domain controller!

• Right-click on 'Users' and choose 'Properties', then click on the 'Security' tab. Configure exactly as follows:

• Configure the folder to not inherit permissions and remove all existing permissions. This means removing ALL groups or usernames. You may need to use the 'Advanced' button.
• Add the file server’s local Administrators group with Full Control of This Folder, Subfolders, and Files. You will need to click the 'Advanced' button 'For special permissions or advanced settings' and then 'Change Permissions'.
• Add the Domain Admins domain security group with Full Control of This Folder, Subfolders, and Files.
• Add the SYSTEM account with Full Control of This Folder, Subfolders, and Files.
• Add the Creator/Owner with Full Control of Subfolders and Files only.
• Add the Authenticated Users group with both List Folder/Read Data and Create Folders/Append Data – This Folder Only rights. The Authenticated Users group can be replaced with the desired group, but do not choose the Everyone group as a best practice. NOTE: Since I am using Samba4 I also needed to add, 'Traverse folder / execute file', 'Create files / write data', and 'Change permissions'. This is important or else folder redirection will not work!

Now make sure you 'Apply' all changes and click 'OK'. Double, triple check these permissions as this is the main cause of the folder redirection failure!

• Right-click on the 'Users' folder and enable 'Always available offline'. This will allow offline files to work and then sync any files once the client logs back onto the domain (good for laptop users). Do not enable this if it violates your company's security policy.
• As a precaution, restart Samba or reboot the server to make sure settings will stick. Once the Samba4 server has rebooted, double check all the permissions again and make sure 'Always available offline' is still enabled.

For the following to work it is assumed that you have configured your Samba 4 AD DC and have created some Organizational Units for your domain. You should also have a test user created and RSAT installed on your Windows client.

1. Log on to a Windows 7/8 client computer as a domain administrator that has been bound to the domain.
2. Launch the 'Group Policy Management' console:
3. Start → All Programs → Administrative Tools → Group Policy Management
4. Either select an already existing GPO that is applied to an OU or create a new one. Right-click the GPO and choose 'Edit'. Then go to:
5. User Configuration → Policies → Windows Settings → Folder Redirection
6. Right-click on 'Documents' and select 'Properties'. On the 'Target' tab configure as follows:
7. Setting: Basic - Redirect everyone's folder to the same location
8. Target folder location: Create a folder for each user under the root path. Root Path: \\samba.mydomain.com\Users
9. At the top select the 'Settings' tab and uncheck the 'Grant the User Exclusive Rights to Documents' check box. Leave the remaining check boxes unchanged.
10. Click OK to complete the folder redirection configuration. A pop-up opens that states that this policy will not display the Folder Redirection node if an administrator or user attempts to configure or view this group policy using policy management tools from Windows 2000, Windows XP, or Windows Server 2003. Click Yes to accept this warning and configure the folder redirection.
11. Back in the 'Group Policy Management Editor' window, close the GPO.
12. Make sure that the GPO has 'Authenticated Users' (or another security group you're using) listed in 'Security Filtering'.
13. Link the new GPO policy (if not done already) to an OU with a user account that can be used to test this policy. This user must log on to a Windows Vista/7/8 computer to allow proper processing of this policy.
14. Log on to a Windows Vista/7/8 system with the test user account. After the profile completes loading, click the Start button, and locate and right-click the Documents folder and then select Properties. Select the Location tab and verify the path. For example, for a user named Tom, the path should be \\samba.mydomain.com\Users\Tom\Documents.

Your folder redirection should now work. If you continue to have your 'Documents' folder path showing C:\Users\xxx and not the server share, it is most likely due to permissions on the root 'Users' folder. The NTFS permissions must be set correctly on the server share or folder redirection will fail.

Having the correct permissions set on the server share also protects users from accessing another user's files. If you set the permissions correctly as outlined in this howto you should be able to test this successfully.

Computer Configuration > Administrative Templates > Windows Components > Internet Explorer > Internet Control Panel > Security Page > Site to Zone Assignment List > Enable and add a zone: value name: *.lzw.zorgnet value 1

The above is enough, but just in case:

User Configuration > Administrative Templates > Windows Components > Internet Explorer > Internet Control Panel > Security Page > Site to Zone Assignment List > Enable and add a zone: value name: *.lzw.zorgnet value 1

Computer Configuration > Policies > Administrative Templates > Network > DNS Client > Dynamic Update = Disabled > Register PTR Records = Disabled

User Configuration > Preferences > Windows Settings > Drive maps (choose replace as type)
 - F: \\nas.lzw.zorgnet\data
 - H: \\nas.lzw.zorgnet\users\%username%
 - M: \\nas.lzw.zorgnet\mirasrc
 - U: \\nas.lzw.zorgnet\uirom
 - W: \\nas.lzw.zorgnet\windata
 - T: \\nas.lzw.zorgnet\temp

1. Add printerdrivers using Print Management tool in Windows
2. Connect drivers to cups printers:

rpcclient localhost -U administrator -c 'enumdrivers'

rpcclient localhost -U administrator -c 'setdriver "ETKPRT1L" "Star TSP442 Line Mode Printer"'
rpcclient localhost -U administrator -c 'setdriver "RECPRT1L" "HP LaserJet P2050 Series PCL6"'
rpcclient localhost -U administrator -c 'setdriver "RECPRT2L" "Samsung SCX-483x 5x3x Series"'
rpcclient localhost -U administrator -c 'setdriver "SYSPRT1L" "HP LaserJet P2050 Series PCL6"'
rpcclient localhost -U administrator -c 'setdriver "SYSPRT2L" "Samsung SCX-483x 5x3x Series"'
rpcclient localhost -U administrator -c 'setdriver "SYSPRT1LD" "HP LaserJet P2050 Series PCL6"'
rpcclient localhost -U administrator -c 'setdriver "SYSPRT2LD" "Samsung SCX-483x 5x3x Series"'

rpcclient localhost -U administrator -c 'enumprinters'

In the end we have the following samba configuration:

/etc/samba/smb.conf

# Global parameters
[global]
	workgroup = LZW
	realm = LZW.ZORGNET
	netbios name = NAS
	server role = active directory domain controller
#	our own dns server
#	dns forwarder = 10.108.108.5
#	zorgnet dns forwarder
	dns forwarder = 10.254.253.201
	idmap_ldb:use rfc2307 = yes

[netlogon]
	path = /var/lib/samba/sysvol/lzw.zorgnet/scripts
	read only = no

[sysvol]
	path = /var/lib/samba/sysvol
	read only = no

[users]
        path = /mnt/storage/users
        comment = user folders for redirection
        read only = no

[data]
	path = /mnt/storage/data
	comment = data share
	read only = no

[mirasrc]
	path = /mnt/storage/mirasrc
	comment = share used by mira application
	read only = no

[uirom]
	path = /mnt/storage/uirom
	comment = unknown share
	read only = no

[windata]
	path = /mnt/storage/windata
	comment = unknown share
	read only = no

[temp]
	path = /mnt/storage/temp
	comment = temporary share
	read only = no

[print$]
	path = /mnt/storage/printer_drivers
	comment = share with network printer drivers
	read only = no

[printers]
	path = /var/spool/samba
	printable = yes
	printing = CUPS

[ETKPRT1L]
	path = /var/spool/samba
	browseable = yes
	printable = yes
	printer name = ETKPRT1L
	read only = no

[RECPRT1L]
	path = /var/spool/samba
	browseable = yes
	printable = yes
	printer name = RECPRT1L
	read only = no

[RECPRT2L]
	path = /var/spool/samba
	browseable = yes
	printable = yes
	printer name = RECPRT2L
	read only = no

[SYSPRT1L]
	path = /var/spool/samba
	browseable = yes
	printable = yes
	printer name = SYSPRT1L
	read only = no

[SYSPRT1LD]
	path = /var/spool/samba
	browseable = yes
	printable = yes
	printer name = SYSPRT1LD
	read only = no

[SYSPRT2L]
	path = /var/spool/samba
	browseable = yes
	printable = yes
	printer name = SYSPRT2L
	read only = no

[SYSPRT2LD]
	path = /var/spool/samba
	browseable = yes
	printable = yes
	printer name = SYSPRT2LD
	read only = no

mkdir /var/spool/samba
chmod 1777 /var/spool/samba

yum install cups ghostscript hplip-common

/etc/cups/cupsd.conf

.
Listen 0.0.0.0:631
.
DefaultEncryption Never
.
.
# Restrict access to the server...
<Location />
  Order allow,deny
  Allow 10.108.108.0/24
</Location>

# Restrict access to the admin pages...
<Location /admin>
  Order allow,deny
  Allow 10.108.108.0/24
</Location>
.
.

systemctl start cups
systemctl enable cups

Add the printers via de webgui running on port 631 An example config after adding printers in the gui

/etc/cups/printers.conf

# Printer configuration file for CUPS v1.6.3
# Written by cupsd on 2015-04-05 21:06
# DO NOT EDIT THIS FILE WHEN CUPSD IS RUNNING
<Printer ETKPRT1L>
UUID urn:uuid:2919023d-a5b3-33a6-525f-98dedb73c838
Info Star TSP442
DeviceURI socket://10.108.108.50:9100
State Idle
StateTime 1428174490
Type 4
Accepting Yes
Shared Yes
JobSheets none none
QuotaPeriod 0
PageLimit 0
KLimit 0
OpPolicy default
ErrorPolicy stop-printer
</Printer>
<Printer RECPRT1L>
UUID urn:uuid:9a25d5bb-9b25-3da5-5ae3-1f47e05dc2ec
Info HP Laserjet P2055dn
DeviceURI socket://10.108.108.51:9100
State Idle
StateTime 1428178354
Type 4
Accepting Yes
Shared Yes
JobSheets none none
QuotaPeriod 0
PageLimit 0
KLimit 0
OpPolicy default
ErrorPolicy stop-printer
</Printer>
<Printer RECPRT2L>
UUID urn:uuid:d36e22c2-8116-37e5-5d15-53182a4d84fb
Info Samsung SCX-483x 5x3x series
DeviceURI socket://10.108.108.60:9100
State Idle
StateTime 1428178569
Type 4
Accepting Yes
Shared Yes
JobSheets none none
QuotaPeriod 0
PageLimit 0
KLimit 0
OpPolicy default
ErrorPolicy stop-printer
</Printer>
<Printer SYSPRT1L>
UUID urn:uuid:3b990d2d-df8e-3ff0-52f6-23b3eefb77d8
Info HP Laserjet P2055dn
DeviceURI socket://10.108.108.51:9100
State Idle
StateTime 1428178686
Type 4
Accepting Yes
Shared Yes
JobSheets none none
QuotaPeriod 0
PageLimit 0
KLimit 0
OpPolicy default
ErrorPolicy stop-printer
</Printer>
<Printer SYSPRT1LD>
UUID urn:uuid:4c5de6d6-d3ba-3358-5653-65bf24278e50
Info HP Laserjet P2055dn
DeviceURI socket://10.108.108.51:9100
State Idle
StateTime 1428178879
Type 4
Accepting Yes
Shared Yes
JobSheets none none
QuotaPeriod 0
PageLimit 0
KLimit 0
OpPolicy default
ErrorPolicy stop-printer
</Printer>
<Printer SYSPRT2L>
UUID urn:uuid:cb1b72d8-ceab-3ab4-7f5c-61ba2bf31a7e
Info Samsung SCX-483x 5x3x series
DeviceURI socket://10.108.108.60:9100
State Idle
StateTime 1428178779
Type 4
Accepting Yes
Shared Yes
JobSheets none none
QuotaPeriod 0
PageLimit 0
KLimit 0
OpPolicy default
ErrorPolicy stop-printer
</Printer>
<Printer SYSPRT2LD>
UUID urn:uuid:92455dcb-1409-33e8-5871-62c0bc5979ed
Info Samsung SCX-483x 5x3x series
DeviceURI socket://10.108.108.60:9100
State Idle
StateTime 1428178962
Type 4
Accepting Yes
Shared Yes
JobSheets none none
QuotaPeriod 0
PageLimit 0
KLimit 0
OpPolicy default
ErrorPolicy stop-printer
</Printer>

firewall-cmd --permanent --zone=home --remove-service=dhcpv6-client
firewall-cmd --permanent --zone=home --remove-service=ipp-client
firewall-cmd --permanent --zone=home --remove-service=mdns
firewall-cmd --permanent --zone=home --remove-service=samba-client
firewall-cmd --permanent --zone=home --remove-service=ssh

firewall-cmd --permanent --zone=internal --remove-service=dhcpv6-client
firewall-cmd --permanent --zone=internal --remove-service=ipp-client
firewall-cmd --permanent --zone=internal --remove-service=mdns
firewall-cmd --permanent --zone=internal --remove-service=samba-client
firewall-cmd --permanent --zone=internal --remove-service=ssh

firewall-cmd --permanent --zone=work --remove-service=dhcpv6-client
firewall-cmd --permanent --zone=work --remove-service=ipp-client
firewall-cmd --permanent --zone=work --remove-service=ssh

firewall-cmd --permanent --zone=public --remove-service=dhcpv6-client
firewall-cmd --permanent --zone=public --remove-service=ssh

firewall-cmd --permanent --zone=external --remove-masquerade
firewall-cmd --permanent --zone=external --remove-service=ssh

firewall-cmd --permanent --zone=dmz --remove-service=ssh

firewall-cmd --permanent --new-zone=zorgnet

firewall-cmd --permanent --zone=public --add-source=0.0.0.0/0
firewall-cmd --permanent --zone=public --add-source=::/0

firewall-cmd --permanent --zone=zorgnet --add-source=10.108.108.0/24

firewall-cmd --permanent --zone=zorgnet --add-service=ssh
firewall-cmd --permanent --zone=zorgnet --add-service=ntp
firewall-cmd --permanent --zone=zorgnet --add-service=dns
firewall-cmd --permanent --zone=zorgnet --add-service=samba
firewall-cmd --permanent --zone=zorgnet --add-service=kerberos
firewall-cmd --permanent --zone=zorgnet --add-service=ldap
firewall-cmd --permanent --zone=zorgnet --add-service=ldaps
firewall-cmd --permanent --zone=zorgnet --add-port=135/tcp
firewall-cmd --permanent --zone=zorgnet --add-port=3268/tcp
firewall-cmd --permanent --zone=zorgnet --add-port=3269/tcp
firewall-cmd --permanent --zone=zorgnet --add-port=1024/tcp
firewall-cmd --permanent --zone=zorgnet --add-port=24542/tcp
firewall-cmd --permanent --zone=zorgnet --add-port=631/tcp

firewall-cmd --set-default-zone=zorgnet

systemctl enable firewalld
systemctl start firewalld