This document describes a Samba 4 AD domain controller installation.

Do a minimal installation of CentOS 7. I am using a VM in this example.

yum install open-vm-tools

useradd -g users -c "Herwarth Heitmann" -m -d /home/herwarth herwarth
passwd herwarth

/etc/ssh/sshd_config

PermitRootLogin no

systemctl restart sshd
systemctl disable kdump

/etc/sudoers.d/users

herwarth ALL=(ALL) ALL

Set the FQDN in /etc/hostname. Set the FQDN with IP in /etc/hosts

I know it is crap but we need to disable SElinux… Perhaps I am going to write my own policy later…

/etc/sysconfig/selinux

SELINUX=disabled

We have to use thrid-party rpm's because the default packages do not support Samba with AD domain controller functionality due to a Kerberos issue.

We need to create an account at sernet.de and add our user credentials in the repo file.

/etc/yum.repos.d/sernet-samba-4.1.repo

[sernet-samba-4.1]
name=SerNet Samba 4.1 Packages (rhel-7)
type=rpm-md
baseurl=https://<USERNAME>:<PASSWORD>@download.sernet.de/packages/samba/4.1/rhel/7/
gpgcheck=1
gpgkey=https://<USERNAME>:<PASSWORD>@download.sernet.de/packages/samba/4.1/rhel/7/repodata/repomd.xml.key
enabled=1

yum install sernet-samba-ad  sernet-samba

samba-tool domain provision --use-rfc2307 --interactive
ln -s /var/lib/samba/private/krb5.conf /etc/krb5.conf

/etc/default/sernet-samba

.
.
SAMBA_START_MODE="ad"
.
.

chkconfig sernet-samba-nmbd off
chkconfig sernet-samba-smbd off
chkconfig sernet-samba-winbindd off

samba-tool domain level raise --domain-level 2008_R2 --forest-level 2008_R2
samba-tool domain level show

/etc/samba/smb.conf

[users]
        path = /mnt/storage/users
        comment = user folders for redirection
        read only = No

• Log on to a Windows 7/8 client computer as a domain administrator that has been bound to the domain.
• Using Windows Explorer, use a fully qualified UNC path like this: \\samba.mydomain.com\
• You should see the following folders:

netlogon
sysvol
users

Do not delete 'netlogon' or 'sysvol' as they are required for your domain controller!

• Right-click on 'Users' and choose 'Properties', then click on the 'Security' tab. Configure exactly as follows:

• Configure the folder to not inherit permissions and remove all existing permissions. This means removing ALL groups or usernames. You may need to use the 'Advanced' button.
• Add the file server’s local Administrators group with Full Control of This Folder, Subfolders, and Files. You will need to click the 'Advanced' button 'For special permissions or advanced settings' and then 'Change Permissions'.
• Add the Domain Admins domain security group with Full Control of This Folder, Subfolders, and Files.
• Add the SYSTEM account with Full Control of This Folder, Subfolders, and Files.
• Add the Creator/Owner with Full Control of Subfolders and Files only.
• Add the Authenticated Users group with both List Folder/Read Data and Create Folders/Append Data – This Folder Only rights. The Authenticated Users group can be replaced with the desired group, but do not choose the Everyone group as a best practice. NOTE: Since I am using Samba4 I also needed to add, 'Traverse folder / execute file', 'Create files / write data', and 'Change permissions'. This is important or else folder redirection will not work!

Now make sure you 'Apply' all changes and click 'OK'. Double, triple check these permissions as this is the main cause of the folder redirection failure!

• Right-click on the 'Users' folder and enable 'Always available offline'. This will allow offline files to work and then sync any files once the client logs back onto the domain (good for laptop users). Do not enable this if it violates your company's security policy.
• As a precaution, restart Samba or reboot the server to make sure settings will stick. Once the Samba4 server has rebooted, double check all the permissions again and make sure 'Always available offline' is still enabled.

For the following to work it is assumed that you have configured your Samba 4 AD DC and have created some Organizational Units for your domain. You should also have a test user created and RSAT installed on your Windows client.

1. Log on to a Windows 7/8 client computer as a domain administrator that has been bound to the domain.
2. Launch the 'Group Policy Management' console:
3. Start → All Programs → Administrative Tools → Group Policy Management
4. Either select an already existing GPO that is applied to an OU or create a new one. Right-click the GPO and choose 'Edit'. Then go to:
5. User Configuration → Policies → Windows Settings → Folder Redirection
6. Right-click on 'Documents' and select 'Properties'. On the 'Target' tab configure as follows:
7. Setting: Basic - Redirect everyone's folder to the same location
8. Target folder location: Create a folder for each user under the root path. Root Path: \\samba.mydomain.com\Users
9. At the top select the 'Settings' tab and uncheck the 'Grant the User Exclusive Rights to Documents' check box. Leave the remaining check boxes unchanged.
10. Click OK to complete the folder redirection configuration. A pop-up opens that states that this policy will not display the Folder Redirection node if an administrator or user attempts to configure or view this group policy using policy management tools from Windows 2000, Windows XP, or Windows Server 2003. Click Yes to accept this warning and configure the folder redirection.
11. Back in the 'Group Policy Management Editor' window, close the GPO.
12. Make sure that the GPO has 'Authenticated Users' (or another security group you're using) listed in 'Security Filtering'.
13. Link the new GPO policy (if not done already) to an OU with a user account that can be used to test this policy. This user must log on to a Windows Vista/7/8 computer to allow proper processing of this policy.
14. Log on to a Windows Vista/7/8 system with the test user account. After the profile completes loading, click the Start button, and locate and right-click the Documents folder and then select Properties. Select the Location tab and verify the path. For example, for a user named Tom, the path should be \\samba.mydomain.com\Users\Tom\Documents.

Your folder redirection should now work. If you continue to have your 'Documents' folder path showing C:\Users\xxx and not the server share, it is most likely due to permissions on the root 'Users' folder. The NTFS permissions must be set correctly on the server share or folder redirection will fail.

Having the correct permissions set on the server share also protects users from accessing another user's files. If you set the permissions correctly as outlined in this howto you should be able to test this successfully.

firewall-cmd --permanent --zone=home --remove-service=dhcpv6-client
firewall-cmd --permanent --zone=home --remove-service=ipp-client
firewall-cmd --permanent --zone=home --remove-service=mdns
firewall-cmd --permanent --zone=home --remove-service=samba-client
firewall-cmd --permanent --zone=home --remove-service=ssh

firewall-cmd --permanent --zone=internal --remove-service=dhcpv6-client
firewall-cmd --permanent --zone=internal --remove-service=ipp-client
firewall-cmd --permanent --zone=internal --remove-service=mdns
firewall-cmd --permanent --zone=internal --remove-service=samba-client
firewall-cmd --permanent --zone=internal --remove-service=ssh

firewall-cmd --permanent --zone=work --remove-service=dhcpv6-client
firewall-cmd --permanent --zone=work --remove-service=ipp-client
firewall-cmd --permanent --zone=work --remove-service=ssh

firewall-cmd --permanent --zone=public --remove-service=dhcpv6-client
firewall-cmd --permanent --zone=public --remove-service=ssh

firewall-cmd --permanent --zone=external --remove-masquerade
firewall-cmd --permanent --zone=external --remove-service=ssh

firewall-cmd --permanent --zone=dmz --remove-service=ssh

firewall-cmd --permanent --new-zone=zorgnet

firewall-cmd --permanent --zone=public --add-source=0.0.0.0/0
firewall-cmd --permanent --zone=public --add-source=::/0

firewall-cmd --permanent --zone=zorgnet --add-source=10.108.108.0/24

firewall-cmd --permanent --zone=zorgnet --add-service=ssh
firewall-cmd --permanent --zone=zorgnet --add-service=ntp
firewall-cmd --permanent --zone=zorgnet --add-service=dns
firewall-cmd --permanent --zone=zorgnet --add-service=samba
firewall-cmd --permanent --zone=zorgnet --add-service=kerberos
firewall-cmd --permanent --zone=zorgnet --add-service=ldap
firewall-cmd --permanent --zone=zorgnet --add-service=ldaps
firewall-cmd --permanent --zone=zorgnet --add-port=135/tcp
firewall-cmd --permanent --zone=zorgnet --add-port=3268/tcp
firewall-cmd --permanent --zone=zorgnet --add-port=3269/tcp
firewall-cmd --permanent --zone=zorgnet --add-port=1024/tcp
firewall-cmd --permanent --zone=zorgnet --add-port=24542/tcp

firewall-cmd --set-default-zone=zorgnet

systemctl enable firewalld
systemctl start firewalld