Joining Linux to Windows Domain and folder redirection to Samba server

Posted: June 12, 2015 in Linux

Today we will join linux machine (Fedora 21 server) to Windows Domain,configure share folder and configure folder redirection GPO to samba server.

I am using KVM linux host (Fedora server 21), IP Address

KVM guest (CENTOS 7, has DHCP and DNS services installed and configured) with IP

KVM guest (Fedora server 2012),will be our samba server with IP192.168.122.10

Now i will install KVM guest Windows Server 2012,    IP adress 192.168.122,100

Installing Windows Domain Controler VM:

virt-install --cdrom /disk/Win_2012_64fre_server_eval_en-us-GRMSXEVAL_EN_DVD.iso --name "dc" --memory=4096 --file=/disk/dc.qcow2 --file-size=25 --vcpus=4 --os-type=windows

On terminal i typed command above,it will create virtual machine named dc,assign 4 GB of RAM,4 Core processors and

25 GB hard disk,installaton media would be ISO copied in /disk folder

After installation was completed,we can now configure WIndows server 2012:

First rename computer and restart (i used PowerShell commands):

Rename-computer dc -restart

After reboot,set Primary DNS suffix

netdom computername dc /
netdom computername dc /

Reboot again,

now we will set IP address,default gateway and primary DNS server (i will point DC to Linux DNS server,DNS role will not be installed on our Windows server)

New-NetIPAddress -interfacealias "ethernet" -ipaddress " -prefixlenght 24 -defaultgateway

Set-DNSClientServerAddres -interfacealias "ethernet" -ServerAddresses

Enable remote desktop connection and open firewall port

set-ItemProperty -Path 'HKLM:\System\CurrentControlSet\Control\Terminal Server'-name "fDenyTSConnections" -Value 0

Enable-NetFirewallRule -DisplayGroup "Remote Desktop"

On linux KVM host,open port 3389

firewall-cmd --add-port 3389 --permament

firewall-cmd --reload

I want to enable remote desktop connection to VM windows server,so i need to redirect all requests,received on KVM host’s port 3389 to windows server.

Strangely,firewall-cmd –add-forward-port command simply didn’t work,i couldn’t get port forwarding working

I seen on the internet someone also complained for same issue,it looks as a bug.

But IPTables commad works,at least until you,set another rule or restart computer,so do iptables-save>file_name

and after reboot reload rules iptables-reload<file_name

iptables -t nat -I PREROUTING -p tcp --dport 3389 -j DNAT --to-destination

iptables -I FORWARD -m state -d --state NEW,RELATED,ESTABLISHED -j ACCEPT

I can now access Windows domain controller (,hosted on from my lap-top (


Now we  need to allow windows machine to write to zone file on our linux dns server (

Here i described how to install DNS and allow dynamic updates,i bold changes in /etc/named.conf file:

acl “allowed” {;

options {
listen-on port 53 {;; };
listen-on-v6 port 53 { ::1; };
directory “/var/named”;
dump-file “/var/named/data/cache_dump.db”;
statistics-file “/var/named/data/named_stats.txt”;
memstatistics-file “/var/named/data/named_mem_stats.txt”;
allow-query { allowed; };
forwarders {;};

recursion yes;
allow-recursion {allowed;};

dnssec-enable yes;
dnssec-validation yes;
dnssec-lookaside auto;

/* Path to ISC DLV key */
bindkeys-file “/etc/named.iscdlv.key”;

managed-keys-directory “/var/named/dynamic”;

pid-file “/run/named/”;
session-keyfile “/run/named/session.key”;

logging {
channel default_debug {
file “data/”;
severity dynamic;


key dhcp_updater {
algorithm hmac-md5;
secret “kfc1r6C2VwHGnKMi/NHt6w==”;

zone “.” IN {
type hint;
file “”;

include “/etc/named.rfc1912.zones”;
include “/etc/named.root.key”;
zone “” IN {
type master;
file “/var/named/chroot/etc/named/”;

allow-update {key “dhcp_updater”;;};

zone “” IN {
type master;

file “/var/named/chroot/etc/named/”;
allow-update {key “dhcp_updater“;;};

Now Server 2012 can update zone file

Installing ADDS services:

In powershell prompt type:

Install-windowsfeature ad-domain-services -IncludeManagementTools
import-module addsdeployement
Install-ADDSForest -creatednsdelegation:$false -databasepath "c:\windows:\ntds" '
-domainmode "win2012r2" -domainname "" -domainnetbiosname "EXAMPLE" -forestmode "win2012r2" -installdns:$false -logpath "c:\windows\ntds" '
-norebootoncompletion:$false -sysvolpath "c:\windows\sysvol" -force:$true


During installation,dc writes lots of records in zone file,as you can see from /var/log/messages:


After our DC was restarted,check zone file (

$TTL 10800    ; 3 hours        IN SOA (

2015052644 ; serial

86400      ; refresh (1 day)
3600       ; retry (1 hour)

604800     ; expire (1 week)

10800      ; minimum (3 hours)

$TTL 600    ;
10 minutes A
$TTL 10800    ; 3 hours
MX    10

$TTL 600    ; 10 minutes

5d11ccae-11e0-47ca-a9b0-998885292876 CNAME

_kerberos SRV    0 100 88
_ldap SRV    0 100 389
_kerberos SRV    0 100 88
_ldap SRV 0 100 389
$ORIGIN SRV 0 100 389
_ldap._tcp.Default-First-Site-Name._sites SRV 0 100 3268
_ldap._tcp SRV    0 100 3268
_ldap._tcp.pdc SRV0 100 389
_gc SRV    0 100 3268
_kerberos SRV    0 100 88
_ldap SRV 0 100 389
_gc SRV    0 100 3268
_kerberos SRV 100 88
_kpasswd    SRV 0 100 464
_ldap SRV    0 100 389
_kerberos        SRV    0 100 88
_kpasswd        SRV    0 100 464
$TTL 1200    ; 20 minutes
dc            A
$TTL 300    ; 5 minutes
localhost        A
TXT    “31b3e25f324398b385f0fa3ce3a53b3ccb”
$TTL 10800    ; 3 hours
server1            A

AS you can see,although we are using Bind DNS,Windows Active Directory works great.

Check SRV record:


Joining to domain

Now,go to and join it to domain

yum install samba* oddjob* ntp* sssd -y

synhronize time with DC
systemctl enable ntpd.service
systemctl start ntpd.service

systemctl enable oddjobd
systemctl start oddjobd
systmectl enable winbin
systemctl start winbind
systemctl start sssd

edit /etc/krb5.conf


default = FILE:/var/log/krb5libs.log

kdc = FILE:/var/log/krb5kdc.log
admin_server = FILE:/var/log/kadmind.log


dns_lookup_realm = false
ticket_lifetime = 24h

renew_lifetime = 7d

forwardable = true

rdns = false
default_ccache_name = KEYRING:persistent:%{uid}

default_realm = EXAMPLE.COM
dns_lookup_kdc = true



kdc =
kdc =
kdc =
kdc =

[domain_realm] = EXAMPLE.COM

edit  /etc/samba/smb.conf


# Generated by authconfig on 2015/06/10 17:25:07
# DO NOT EDIT THIS SECTION (delimited by –start-line–/–end-line–)
# Any modification may be deleted or altered by authconfig in future

workgroup = EXAMPLE
password server = DC.EXAMPLE.COM
security = ads
idmap config * : range = 16777216-33554431
template shell = /bin/bash
kerberos method = secrets only
winbind use default domain = true
winbind offline logon = false


# ———————– Network-Related Options ————————-
# workgroup = the Windows NT domain name or workgroup name, for example, MYGROUP.
# server string = the equivalent of the Windows NT Description field.
# netbios name = used to specify a server name that is not tied to the hostname.
# interfaces = used to configure Samba to listen on multiple network interfaces.
# If you have multiple interfaces, you can use the “interfaces =” option to
# configure which of those interfaces Samba listens on. Never omit the localhost
# interface (lo).
# hosts allow = the hosts allowed to connect. This option can also be used on a
# per-share basis.
# hosts deny = the hosts not allowed to connect. This option can also be used on
# a per-share basis.
# max protocol = used to define the supported protocol. The default is NT1

; workgroup = MYGROUP
server string = Samba Server Version %v

; netbios name = MYSERVER

interfaces = lo ens3
hosts allow = 127. 192.168.122. 192.168.13.
; max protocol = SMB2

restart smb,winbind and oddjob services:

systemctl restart smb
systemctl restart oddjobd
systemctl restart winbind
open firwall ports:
firewall-cmd --add-port --service=samba --permanent
firewall-cmd --reload

join to the domain:

realm join –user=adminitrator@EXAMPLE.COM EXAMPLE.COM

You can avoid all this editing by simply typing
and populating fields:

click join domain,enter domain admin username.password and click apply
You shouldn’t have any problems,if yes,check /var/log/messages and /var/log/samba/log.winbind-

type realm list


If You get this screen everything is fine

Switch now to Domain Controllers,OU,create user and group

new-adorganizationalunit “test”

new-adgroup -name “test group” -groupscope “Global” -Groupcategory “Security” -path “ou=test,dc=example,dc=com”

new-aduser -name “tex willer” -userpincipalname “” -accountpassword (convertto-secure string “Passw0rd01” -asplaintxt -force) -changepasswordatlogon $false -path “ou=test,dc=example,dc=com” -enabled $true

add-adgroupmember -identity “test goup” -members “tex willer”

get-aduser ‘tex willer’ | select-object | fl


Now switch to samba server and type

wbinfo -u   # this command list AD users

wbinfo -g   #list AD groups


we can see now user tex willer and group “test group”

Let’s create shared folder now:

mkdir -p /srv/samba/Profiles/
chmod -R 770 /srv/samba/Profiles
chgrp "Domain Users" /srv/samba/Profiles

On the bottom on /etc/samba.smb.conf file add

 path = /srv/samba/Profiles/
 read only = no
 store dos attributes = Yes   #prevent showing hidden files and folders
 browseable = yes
 writable = yes
 public = yes

Edit /etc/pam.d/system-auth (your uid may vary,general rule is to type uid bigger than your domain user usedid

to find out id,log user to linux terminal (su “tex willer”), then type id (see uid value)

Util i set this,Samba has been rejecting my windows username/password

# This file is auto-generated.
# User changes will be destroyed the next time authconfig is run.
auth required
auth sufficient nullok try_first_pass
auth requisite uid >= 500 quiet_success
auth sufficient use_first_pass
auth required

account required broken_shadow
account sufficient
account sufficient uid < 36777216 quiet
account [default=bad success=ok user_unknown=ignore]
account required
In order for SELinux to allow write to share folder we must type
chcon -t samba_share_t /srv/samba/Profiles

edit /etc/nsswitch.conf file to configure systemt for looking at winbind if user cannot be found in

/etc/passwd file:

passwd: files winbind
shadow: files winbind
group: files winbind
Restart again smb,winbind,sssd and oddjobd services and try to access share from Windows Server 2012,you should see Profiles folder


Now and try to make folder/file.

Give Domain Users full control right to Profile folder (This folder only) and  List Folder/Read Data and Create Folders/Append Data (this folder only)
Domain Admins  security group should have Full Control of This Folder, Subfolders, and Files

Create GPO for folder redirection
User Configuration -> Policies -> Windows Settings -> Folder Redirection


Apply policy,log in as user,write create file/folder in Documents folder


And check Profiles folder:


Great !!,on samba share, tex willer folder is automatically created and all in Document folder is redirected.

  1. If some one needs expert view regarding blogging
    afterward i recommend him/her to go to see this webpage, Keep up the pleasant job.


  2. gpo modipla says:

    I’m extremely impressed with your writing abilities and also with the format
    for your weblog. Is that this a paid theme or did you
    modify it your self? Either way keep up the excellent quality writing, it’s rare to see a great
    blog like this one today..


  3. “Great Blogpost! Hello Admin! Thanks for this article, very good information, I will be_ forwarding this to some friends, if you’re ok with that. Greetings from Germany!”


Leave a Reply

Fill in your details below or click an icon to log in: Logo

You are commenting using your account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s