389 Directory Server:

The 389 directory server is a LDAP (Lightweight directory access protocol) server developed by
Red Hat. The name 389 is derived from the LDAP port number. Though 389 server is being built
on top of fedora, it supports many operating system such as CentOS, Scientific Linux, Debian
and solaris etc.

Features:

Multi-Master Replication, to provide fault tolerance and high write performance

Scalability: thousands of operations per second, tens of thousands of concurrent users,
tens of millions of entries, hundreds of gigabytes of data
The codebase has been developed and deployed continuously by the same team for more
than a decade
Extensive documentation, including helpful Installation and Deployment guides
Active Directory user and group synchronization
Secure authentication and transport (SSLv3, TLSv1, and SASL)
Support for LDAPv3
On-line, zero downtime, LDAP-based update of schema, configuration, management and
in-tree Access Control Information (ACIs)
Graphical console for all facets of user, group, and server management

Prerequistes:
1. Make sure that your server is properly configured with DNS server with proper FQDN.
Navigate to this link to congure your DNS server.
2. Configure the firewall to allow LDAP ports in your server. To do that open the iptables
config file and enter the lines as shown below. Changes which i have made in the config
files are shown in bold letters.
[root@server ~]# nano /etc/sysconfig/iptables
# Firewall configuration written by system-config-firewall
# Manual customization of this file is not recommended.
*filter
:INPUT ACCEPT [0:0]
:FORWARD ACCEPT [0:0]
:OUTPUT ACCEPT [0:0]
-A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
-A INPUT -p icmp -j ACCEPT
-A INPUT -i lo -j ACCEPT
-A INPUT -m state --state NEW -m tcp -p tcp --dport 22 -j ACCEPT
-A INPUT -j REJECT --reject-with icmp-host-prohibited
-A FORWARD -j REJECT --reject-with icmp-host-prohibited
-A INPUT -m state --state NEW -m tcp -p tcp --dport 389 -j ACCEPT
-A INPUT -m state --state NEW -m tcp -p tcp --dport 636 -j ACCEPT
-A INPUT -m state --state NEW -m tcp -p tcp --dport 9830 -j ACCEPT
COMMIT

1. Restart iptables to save the changes.

[root@server ~]# service iptables restart
iptables: Flushing firewall rules:
iptables: Setting chains to policy ACCEPT: filter
iptables: Unloading modules:
iptables: Applying firewall rules:

[
[
[
[

OK
OK
OK
OK

]
]
]
]

1. Add and install the EPEL repository to install 389ds package.

[root@server ~]# wget http://dl.fedoraproject.org/pub/epel/6/i386/epelrelease-6-8.noarch.rpm
--2013-02-05 13:00:46-- http://dl.fedoraproject.org/pub/epel/6/i386/epelrelease-6-8.noarch.rpm
Resolving dl.fedoraproject.org... 209.132.181.23, 209.132.181.24,
209.132.181.25, ...
Connecting to dl.fedoraproject.org|209.132.181.23|:80... connected.
HTTP request sent, awaiting response... 200 OK
Length: 14540 (14K) [application/x-rpm]
Saving to: `epel-release-6-8.noarch.rpm'
100%[======================================>] 14,540
30.9K/s
in
0.5s
2013-02-05 13:00:48 (30.9 KB/s) - `epel-release-6-8.noarch.rpm' saved
[14540/14540]
[root@server ~]# rpm -ivh epel-release-6-8.noarch.rpm
warning: epel-release-6-8.noarch.rpm: Header V3 RSA/SHA256 Signature, key ID
0608b895: NOKEY
Preparing...
###########################################
[100%]
1:epel-release
###########################################
[100%]

1. Before start to install and configure 389 directory server we should adjust some
performance and security settings in the server.
5.1. Open the /etc/sysctl.conf file and add the lines as shown below. Changes which i have made
in the config files are shown in bold letters.
[root@server ~]# nano /etc/sysctl.conf
#
# Kernel sysctl configuration file for Red Hat Linux
# For binary values, 0 is disabled, 1 is enabled. See sysctl(8) and
# sysctl.conf(5) for more details.
# Controls IP packet forwarding
net.ipv4.ip_forward = 0
# Controls source route verification
net.ipv4.conf.default.rp_filter = 1
# Do not accept source routing
net.ipv4.conf.default.accept_source_route = 0
# Controls the System Request debugging functionality of the kernel
kernel.sysrq = 0
# Controls whether core dumps will append the PID to the core filename.
# Useful for debugging multi-threaded applications.
kernel.core_uses_pid = 1

# Controls the use of TCP syncookies

net.ipv4.tcp_syncookies = 1
# Disable netfilter on bridges.
net.bridge.bridge-nf-call-ip6tables = 0
net.bridge.bridge-nf-call-iptables = 0
net.bridge.bridge-nf-call-arptables = 0
# Controls the default maxmimum size of a mesage queue
kernel.msgmnb = 65536
# Controls the maximum size of a message, in bytes
kernel.msgmax = 65536
# Controls the maximum shared segment size, in bytes
kernel.shmmax = 4294967295
# Controls the maximum number of shared memory segments, in pages
kernel.shmall = 268435456
net.ipv4.tcp_keepalive_time = 300
net.ipv4.ip_local_port_range = 1024 65000
fs.file-max = 64000

Check the changes you have made before.

[root@server ~]# sysctl -p
net.ipv4.ip_forward = 0
net.ipv4.conf.default.rp_filter = 1
net.ipv4.conf.default.accept_source_route = 0
kernel.sysrq = 0
kernel.core_uses_pid = 1
net.ipv4.tcp_syncookies = 1
error: "net.bridge.bridge-nf-call-ip6tables" is an unknown key
error: "net.bridge.bridge-nf-call-iptables" is an unknown key
error: "net.bridge.bridge-nf-call-arptables" is an unknown key
kernel.msgmnb = 65536
kernel.msgmax = 65536
kernel.shmmax = 4294967295
kernel.shmall = 268435456
net.ipv4.tcp_keepalive_time = 300
net.ipv4.ip_local_port_range = 1024 65000
fs.file-max = 64000

5.2. Edit the file descriptors in /etc/security/limits.conf file and add the lines as shown below at
the end. Changes which i have made in the config files are shown in bold letters.
[root@server ~]# nano /etc/security/limits.conf
# /etc/security/limits.conf
#
#Each line describes a limit for a user in the form:
#
#<domain>
<type> <item> <value>
#
#Where:
#<domain> can be:
#
- an user name
#
- a group name, with @group syntax
#
- the wildcard *, for default entry
#
- the wildcard %, can be also used with %group syntax,
#
for maxlogin limit

#
#<type> can have the two values:
#
- "soft" for enforcing the soft limits
#
- "hard" for enforcing hard limits
#
#<item> can be one of the following:
#
- core - limits the core file size (KB)
#
- data - max data size (KB)
#
- fsize - maximum filesize (KB)
#
- memlock - max locked-in-memory address space (KB)
#
- nofile - max number of open files
#
- rss - max resident set size (KB)
#
- stack - max stack size (KB)
#
- cpu - max CPU time (MIN)
#
- nproc - max number of processes
#
- as - address space limit (KB)
#
- maxlogins - max number of logins for this user
#
- maxsyslogins - max number of logins on the system
#
- priority - the priority to run user process with
#
- locks - max number of file locks the user can hold
#
- sigpending - max number of pending signals
#
- msgqueue - max memory used by POSIX message queues (bytes)
#
- nice - max nice priority allowed to raise to values: [-20, 19]
#
- rtprio - max realtime priority
#
#<domain>
<type> <item>
<value>
#
#*
soft
core
0
#*
hard
rss
10000
#@student
hard
nproc
20
#@faculty
soft
nproc
20
#@faculty
hard
nproc
50
#ftp
hard
nproc
0
#@student
maxlogins
4
# End of file
*softnofile8192
*hardnofile8192

5.3. Open the /etc/profile file and add the line as shown below. Changes are shown in bold.
[root@server ~]# nano /etc/profile
# /etc/profile
# System wide environment and startup programs, for login setup
# Functions and aliases go in /etc/bashrc
# It's NOT a good idea to change this file unless you know what you
# are doing. It's much better to create a custom.sh shell script in
# /etc/profile.d/ to make custom changes to your environment, as this
# will prevent the need for merging in future updates.
pathmunge () {
case ":${PATH}:" in
*:"$1":*)
;;
*)
if [ "$2" = "after" ] ; then
PATH=$PATH:$1
else

PATH=$1:$PATH
fi
esac
}
if [ -x /usr/bin/id ]; then
if [ -z "$EUID" ]; then
# ksh workaround
EUID=`id -u`
UID=`id -ru`
fi
USER="`id -un`"
LOGNAME=$USER
MAIL="/var/spool/mail/$USER"
fi
# Path manipulation
if [ "$EUID" = "0" ]; then
pathmunge /sbin
pathmunge /usr/sbin
pathmunge /usr/local/sbin
else
pathmunge /usr/local/sbin after
pathmunge /usr/sbin after
pathmunge /sbin after
fi
HOSTNAME=`/bin/hostname 2>/dev/null`
HISTSIZE=1000
if [ "$HISTCONTROL" = "ignorespace" ] ; then
export HISTCONTROL=ignoreboth
else
export HISTCONTROL=ignoredups
fi
export PATH USER LOGNAME MAIL HOSTNAME HISTSIZE HISTCONTROL
# By default, we want umask to get set. This sets it for login shell
# Current threshold for system reserved uid/gids is 200
# You could check uidgid reservation validity in
# /usr/share/doc/setup-*/uidgid file
if [ $UID -gt 199 ] && [ "`id -gn`" = "`id -un`" ]; then
umask 002
else
umask 022
fi
for i in /etc/profile.d/*.sh ; do
if [ -r "$i" ]; then
if [ "${-#*i}" != "$-" ]; then
. "$i"
else
. "$i" >/dev/null 2>&1
fi
fi
done
unset i
unset pathmunge
ulimit-n8192

5.4. Add the following to the end of your /etc/pam.d/login file as shown below. Changes which i
have made in the config files are shown in bold letters.
[root@server ~]# nano /etc/pam.d/login
#%PAM-1.0
auth [user_unknown=ignore success=ok ignore=ignore default=bad]
pam_securetty.so
auth
include
system-auth
account
required
pam_nologin.so
account
include
system-auth
password
include
system-auth
# pam_selinux.so close should be the first session rule
session
required
pam_selinux.so close
session
required
pam_loginuid.so
session
optional
pam_console.so
# pam_selinux.so open should only be followed by sessions to be executed in
the user context
session
required
pam_selinux.so open
session
required
pam_namespace.so
session
optional
pam_keyinit.so force revoke
session
include
system-auth
-session
optional
pam_ck_connector.so
session
required
/lib/security/pam_limits.so

1. Add a user called fedora-ds.

[root@server ~]# useradd fedora-ds
[root@server ~]# passwd fedora-ds
Changing password for user fedora-ds.
New password:
BAD PASSWORD: it is based on a dictionary word
Retype new password:
passwd: all authentication tokens updated successfully.

Install LDAP server:

[root@server ~]# yum install 389-ds openldap-clients -y

Confiure 389 Directory server

[root@server ~]# setup-ds-admin.pl
=============================================================================
=
This program will set up the 389 Directory and Administration Servers.
It is recommended that you have "root" privilege to set up the software.
Tips for using this program:
- Press "Enter" to choose the default and go to the next screen
- Type "Control-B" then "Enter" to go back to the previous screen
- Type "Control-C" to cancel the setup program
Would you like to continue with set up? [yes]: ##press enter##
=============================================================================
=
Your system has been scanned for potential problems, missing patches,

etc. The following output is a report of the items found that need to
be addressed before running this software in a production
environment.
389 Directory Server system tuning analysis version 10-AUGUST-2007.
NOTICE : System is i686-unknown-linux2.6.32-279.el6.i686 (1 processor).
WARNING: 622MB of physical memory is available on the system. 1024MB is
recommended for best performance on large production system.
WARNING: There are only 1024 file descriptors (soft limit) available, which
limit the number of simultaneous connections.
WARNING : The warning messages above should be reviewed before proceeding.
Would you like to continue? [no]: yes ##type yes and press enter##
=============================================================================
=
Choose a setup type:
1. Express
Allows you to quickly set up the servers using the most
common options and pre-defined defaults. Useful for quick
evaluation of the products.
2. Typical
Allows you to specify common defaults and options.
3. Custom
Allows you to specify more advanced options. This is
recommended for experienced server administrators only.
To accept the default shown in brackets, press the Enter key.
Choose a setup type [2]: 2 ##type 2 and press enter##
=============================================================================
=
Enter the fully qualified domain name of the computer
on which you're setting up server software. Using the form
<hostname>.<domainname>
Example: eros.example.com.
To accept the default shown in brackets, press the Enter key.
Warning: This step may take a few minutes if your DNS servers
can not be reached or if DNS is not configured correctly. If
you would rather not wait, hit Ctrl-C and run this program again
with the following command line option to specify the hostname:
General.FullMachineName=your.hostname.domain.name
Computer name [server.ostechnix.com]: ##press enter##
=============================================================================
=
The servers must run as a specific user in a specific group.
It is strongly recommended that this user should have no privileges
on the computer (i.e. a non-root user). The setup procedure
will give this user/group some permissions in specific paths/files
to perform server-specific operations.
If you have not yet created a user and group for the servers,
create this user and group using your native operating
system utilities.
System User [nobody]: fedora-ds ##input your yourname which you created
earlier and press enter##
System Group [nobody]: fedora-ds
=============================================================================
=
Server information is stored in the configuration directory server.
This information is used by the console and administration server to
configure and manage your servers. If you have already set up a
configuration directory server, you should register any servers you

set up or create with the configuration server. To do so, the

following information about the configuration server is required: the
fully qualified host name of the form
<hostname>.<domainname>(e.g. hostname.example.com), the port number
(default 389), the suffix, the DN and password of a user having
permission to write the configuration information, usually the
configuration directory administrator, and if you are using security
(TLS/SSL). If you are using TLS/SSL, specify the TLS/SSL (LDAPS) port
number (default 636) instead of the regular LDAP port number, and
provide the CA certificate (in PEM/ASCII format).
If you do not yet have a configuration directory server, enter 'No' to
be prompted to set up one.
Do you want to register this software with an existing
configuration directory server? [no]: ##press enter##
=============================================================================
=
Please enter the administrator ID for the configuration directory
server. This is the ID typically used to log in to the console. You
will also be prompted for the password.
Configuration directory server
administrator ID [admin]: ##enter the password and press enter##
Password:
Password (confirm):
=============================================================================
=
The information stored in the configuration directory server can be
separated into different Administration Domains. If you are managing
multiple software releases at the same time, or managing information
about multiple domains, you may use the Administration Domain to keep
them separate.
If you are not using administrative domains, press Enter to select the
default. Otherwise, enter some descriptive, unique name for the
administration domain, such as the name of the organization
responsible for managing the domain.
Administration Domain [ostechnix.com]: ##press enter##
=============================================================================
=
The standard directory server network port number is 389. However, if
you are not logged as the superuser, or port 389 is in use, the
default value will be a random unused port number greater than 1024.
If you want to use port 389, make sure that you are logged in as the
superuser, that port 389 is not in use.
Directory server network port [389]: ##press enter##
=============================================================================
=
Each instance of a directory server requires a unique identifier.
This identifier is used to name the various
instance specific files and directories in the file system,
as well as for other uses as a server instance identifier.
Directory server identifier [server]: ##press enter##
=============================================================================
=
The suffix is the root of your directory tree. The suffix must be a valid
DN.
It is recommended that you use the dc=domaincomponent suffix convention.
For example, if your domain is example.com,
you should use dc=example,dc=com for your suffix.

Setup will create this initial suffix for you,

but you may have more than one suffix.
Use the directory server utilities to create additional suffixes.
Suffix [dc=ostechnix, dc=com]: ##press enter##
=============================================================================
=
Certain directory server operations require an administrative user.
This user is referred to as the Directory Manager and typically has a
bind Distinguished Name (DN) of cn=Directory Manager.
You will also be prompted for the password for this user. The password must
be at least 8 characters long, and contain no spaces.
Press Control-B or type the word "back", then Enter to back up and start
over.
Directory Manager DN [cn=Directory Manager]: ##press enter##
Password:
Password (confirm):
=============================================================================
=
The Administration Server is separate from any of your web or application
servers since it listens to a different port and access to it is
restricted.
Pick a port number between 1024 and 65535 to run your Administration
Server on. You should NOT use a port number which you plan to
run a web or application server on, rather, select a number which you
will remember and which will not be used for anything else.
Administration port [9830]: ##press enter##
=============================================================================
=
The interactive phase is complete. The script will now set up your
servers. Enter No or go Back if you want to change something.
Are you ready to set up your servers? [yes]:
Creating directory server . . .
Your new DS instance 'server' was successfully created.
Creating the configuration directory server . . .
Beginning Admin Server creation . . .
Creating Admin Server files and directories . . .
Updating adm.conf . . .
Updating admpw . . .
Registering admin server with the configuration directory server . . .
Updating adm.conf with information from configuration directory server . . .
Updating the configuration for the httpd engine . . .
Starting admin server . . .
output: Starting dirsrv-admin:
output:
[ OK ]
The admin server was successfully started.
Admin server was successfully created, configured, and started.
Exiting . . .
Log file is '/tmp/setupkmf7gF.log'

Test LDAP server

[root@server ~]# ldapsearch -x -b "dc=ostechnix,dc=com"
# extended LDIF
#
# LDAPv3
# base <dc=ostechnix,dc=com> with scope subtree

# filter: (objectclass=*)
# requesting: ALL
#
# ostechnix.com
dn: dc=ostechnix,dc=com
objectClass: top
objectClass: domain
dc: ostechnix
# Directory Administrators, ostechnix.com
dn: cn=Directory Administrators,dc=ostechnix,dc=com
objectClass: top
objectClass: groupofuniquenames
cn: Directory Administrators
uniqueMember: cn=Directory Manager
# Groups, ostechnix.com
dn: ou=Groups,dc=ostechnix,dc=com
objectClass: top
objectClass: organizationalunit
ou: Groups
# People, ostechnix.com
dn: ou=People,dc=ostechnix,dc=com
objectClass: top
objectClass: organizationalunit
ou: People
# Special Users, ostechnix.com
dn: ou=Special Users,dc=ostechnix,dc=com
objectClass: top
objectClass: organizationalUnit
ou: Special Users
description: Special Administrative Accounts
# Accounting Managers, Groups, ostechnix.com
dn: cn=Accounting Managers,ou=Groups,dc=ostechnix,dc=com
objectClass: top
objectClass: groupOfUniqueNames
cn: Accounting Managers
ou: groups
description: People who can manage accounting entries
uniqueMember: cn=Directory Manager
# HR Managers, Groups, ostechnix.com
dn: cn=HR Managers,ou=Groups,dc=ostechnix,dc=com
objectClass: top
objectClass: groupOfUniqueNames
cn: HR Managers
ou: groups
description: People who can manage HR entries
uniqueMember: cn=Directory Manager
# QA Managers, Groups, ostechnix.com
dn: cn=QA Managers,ou=Groups,dc=ostechnix,dc=com
objectClass: top
objectClass: groupOfUniqueNames
cn: QA Managers
ou: groups
description: People who can manage QA entries
uniqueMember: cn=Directory Manager
# PD Managers, Groups, ostechnix.com
dn: cn=PD Managers,ou=Groups,dc=ostechnix,dc=com
objectClass: top

objectClass: groupOfUniqueNames
cn: PD Managers
ou: groups
description: People who can manage engineer entries
uniqueMember: cn=Directory Manager
# search result
search: 2
result: 0 Success
# numResponses: 10
# numEntries: 9

If you get search: 2 anywhere in the above result youre done. LDAP server is working now.
Make the LDAP server to start automatically on every reboot.
[root@server ~]# chkconfig dirsrv on

http://sysads.co.uk/2014/05/install-apache-directory-server-2-0-0-m16-ubuntu-14-04/

https://help.ubuntu.com/community/ApacheDS%20-%20LDAP%20-%20Kerberos%20-%20NFS4

https://www.microsoft.com/en-us/download/details.aspx?id=7887

http://www.turnkeylinux.org/domain-controller

Folder Redirection using Group Policy - Samba 4 AD DC

I must give credit where credit is due. I found this excellent article which details configuring the
NTFS share and creating the group policy object for Windows Server 2008:
Configuring Folder Redirection in Windows Server 2008

What You Must Have

This article assumes you have the following:

Fully functional Samba 4 active directory domain controller installed and operational. (Please
see my Samba 4 howto for further information)
You have attached at least one Windows 7/8 client to the domain.
Remote Server Administration Tools is installed on your Windows host that will be accessing
your domain controller.
You have a basic understanding of Active Directory and working with group policy.

Basic Rules to Remember

1. Do not create user folders manually within the server share (i.e. \\server\users\username). You
need to allow the system to create these folders automatically so the correct NTFS permissions
will be applied.
2. Enable client-side caching to utilize offline file synchronization. This has been tested and works
fine on a Samba 4 domain controller when using Windows clients. Depending on your
organization's security policies, you may want to disable this feature.
3. You must use fully qualified UNC paths even when accessing your network share via a file
manager such as Windows Explorer.
4. Depending on your version of Samba 4, your installation path may vary. This howto is using a
samba 4 installation via git and therefore the installation path is /usr/local/samba. Edit your
'smb.conf' file where appropriate.

Create the 'root' Network Share

This example is using the Samba 4 domain controller itself to host the network shares. If this is
unacceptable to you or you wish to use another file server for your network shares, simply make
the changes necessary where needed. If you are using a Samba 4 domain member that is not a
DC, you will still need to set the NTFS permissions as outlined below.
To create the network share on the Samba 4 AD DC (or another samba 4 domain member),
simply follow these steps:
1. As root user on your Samba 4 DC, use 'vi' or your favourite text editor and append your
'smb.conf' to contain this:
[Users]
path = /data/Users
comment = user folders for redirection
read only = No

Save the file and exit 'vi'.

2. Create the directory 'Users' in the path you specified above:

# mkdir -p /data/Users

3. Restart samba or reboot the server.

NOTE: Now for folder redirection to work properly, YOU MUST configure the NTFS as
follows on the Samba4 server.
4. Log on to a Windows 7/8 client computer as a domain administrator that has been bound to
the domain.
5. Using Windows Explorer, use a fully qualified UNC path like this:
\\samba.mydomain.com\

Substitute for your servername and domain above.

6. You should see the following folders:
netlogon
sysvol
Users

Do not delete 'netlogon' or 'sysvol' as they are required for your domain controller!
7. Right-click on 'Users' and choose 'Properties', then click on the 'Security' tab. Configure
exactly as follows:

Configure the folder to not inherit permissions and remove all existing permissions. This means
removing ALL groups or usernames. You may need to use the 'Advanced' button.
Add the file servers local Administrators group with Full Control of This Folder, Subfolders, and
Files. You will need to click the 'Advanced' button 'For special permissions or advanced settings'
and then 'Change Permissions'.
Add the Domain Admins domain security group with Full Control of This Folder, Subfolders, and
Files.
Add the SYSTEM account with Full Control of This Folder, Subfolders, and Files.
Add the Creator/Owner with Full Control of Subfolders and Files only.
Add the Authenticated Users group with both List Folder/Read Data and Create Folders/Append
Data This Folder Only rights. The Authenticated Users group can be replaced with the desired
group, but do not choose the Everyone group as a best practice. NOTE: Since I am using Samba4
I also needed to add, 'Traverse folder / execute file', 'Create files / write data', and 'Change
permissions'. This is important or else folder redirection will not work!
Now make sure you 'Apply' all changes and click 'OK'. Double, triple check these permissions as
this is the main cause of the folder redirection failure!

8. Right-click on the 'Users' folder and enable 'Always available offline'. This will allow offline
files to work and then sync any files once the client logs back onto the domain (good for laptop
users). Do not enable this if it violates your company's security policy.
9. As a precaution, restart Samba or reboot the server to make sure settings will stick. Once the
Samba4 server has rebooted, double check all the permissions again and make sure 'Always
available offline' is still enabled.
If everything appears to be okay, you can now create the GPO for folder redirection.

Create the Folder Redirection GPO

For the following to work it is assumed that you have configured your Samba 4 AD DC and have
created some Organizational Units for your domain. You should also have a test user created and
RSAT installed on your Windows client.
1. Log on to a Windows 7/8 client computer as a domain administrator that has been bound to
the domain.
2. Launch the 'Group Policy Management' console:
Start -> All Programs -> Administrative Tools -> Group Policy Management

3. Either select an already existing GPO that is applied to an OU or create a new one. Right-click
the GPO and choose 'Edit'. Then go to:
User Configuration -> Policies -> Windows Settings -> Folder Redirection

4. Right-click on 'Documents' and select 'Properties'. On the 'Target' tab configure as follows:
Setting: Basic - Redirect everyone's folder to the same location
Target folder location: Create a folder for each user under the root path
Root Path: \\samba.mydomain.com\Users

NOTE: You should notice a preview at the bottom showing 'For user Clair, this folder will be
redirected to: \\samba.mydomain.com\Users\Clair\Documents'
5. At the top select the 'Settings' tab and uncheck the 'Grant the User Exclusive Rights to
Documents' check box. Leave the remaining check boxes unchanged.
6. Click OK to complete the folder redirection configuration. A pop-up opens that states that this
policy will not display the Folder Redirection node if an administrator or user attempts to
configure or view this group policy using policy management tools from Windows 2000,

Windows XP, or Windows Server 2003. Click Yes to accept this warning and configure the
folder redirection.
7. Back in the 'Group Policy Management Editor' window, close the GPO.
8. Make sure that the GPO has 'Authenticated Users' (or another security group you're using)
listed in 'Security Filtering'.
9. Link the new GPO policy (if not done already) to an OU with a user account that can be used
to test this policy. This user must log on to a Windows Vista/7/8 computer to allow proper
processing of this policy.
10. Log on to a Windows Vista/7/8 system with the test user account. After the profile completes
loading, click the Start button, and locate and right-click the Documents folder and then select
Properties. Select the Location tab and verify the path. For example, for a user named Tom, the
path should be \\samba.mydomain.com\Users\Tom\Documents.
Your folder redirection should now work. If you continue to have your 'Documents' folder path
showing C:\Users\xxx and not the server share, it is most likely due to permissions on the root
'Users' folder. The NTFS permissions must be set correctly on the server share or folder
redirection will fail.
Having the correct permissions set on the server share also protects users from accessing another
user's files. If you set the permissions correctly as outlined in this howto you should be able to
test this successfully.

Troubleshooting
You may have to run 'gpupdate' as an admin from the command line on the windows 7 client.
However, a reboot should force the GPO to update on the Windows host.
I noticed I had to reboot the Win 7 client twice in a row after logging in as the test user. Once I
did this twice then my redirections worked.
You may need to reboot the Samba 4 AD DC for permissions to stick on the 'Users\username'
folders. This may not be necessary but worth an attempt if you experience problems.
I must give credit where credit is due. I found this excellent article which details configuring the
NTFS share and creating the group policy object for Windows Server 2008:
Configuring Folder Redirection in Windows Server 2008

What You Must Have

This article assumes you have the following:

Fully functional Samba 4 active directory domain controller installed and operational. (Please
see my Samba 4 howto for further information)
You have attached at least one Windows 7/8 client to the domain.
Remote Server Administration Tools is installed on your Windows host that will be accessing
your domain controller.
You have a basic understanding of Active Directory and working with group policy.

Basic Rules to Remember

1. Do not create user folders manually within the server share (i.e. \\server\users\username). You
need to allow the system to create these folders automatically so the correct NTFS permissions
will be applied.
2. Enable client-side caching to utilize offline file synchronization. This has been tested and works
fine on a Samba 4 domain controller when using Windows clients. Depending on your
organization's security policies, you may want to disable this feature.
3. You must use fully qualified UNC paths even when accessing your network share via a file
manager such as Windows Explorer.
4. Depending on your version of Samba 4, your installation path may vary. This howto is using a
samba 4 installation via git and therefore the installation path is /usr/local/samba. Edit your
'smb.conf' file where appropriate.

Create the 'root' Network Share

This example is using the Samba 4 domain controller itself to host the network shares. If this is
unacceptable to you or you wish to use another file server for your network shares, simply make
the changes necessary where needed. If you are using a Samba 4 domain member that is not a
DC, you will still need to set the NTFS permissions as outlined below.
To create the network share on the Samba 4 AD DC (or another samba 4 domain member),
simply follow these steps:
1. As root user on your Samba 4 DC, use 'vi' or your favourite text editor and append your
'smb.conf' to contain this:
[Users]
path = /data/Users
comment = user folders for redirection
read only = No

Save the file and exit 'vi'.

2. Create the directory 'Users' in the path you specified above:
# mkdir -p /data/Users

3. Restart samba or reboot the server.

NOTE: Now for folder redirection to work properly, YOU MUST configure the NTFS as
follows on the Samba4 server.
4. Log on to a Windows 7/8 client computer as a domain administrator that has been bound to
the domain.
5. Using Windows Explorer, use a fully qualified UNC path like this:
\\samba.mydomain.com\

Substitute for your servername and domain above.

6. You should see the following folders:
netlogon
sysvol
Users

Do not delete 'netlogon' or 'sysvol' as they are required for your domain controller!
7. Right-click on 'Users' and choose 'Properties', then click on the 'Security' tab. Configure
exactly as follows:

Configure the folder to not inherit permissions and remove all existing permissions. This means
removing ALL groups or usernames. You may need to use the 'Advanced' button.
Add the file servers local Administrators group with Full Control of This Folder, Subfolders, and
Files. You will need to click the 'Advanced' button 'For special permissions or advanced settings'
and then 'Change Permissions'.
Add the Domain Admins domain security group with Full Control of This Folder, Subfolders, and
Files.
Add the SYSTEM account with Full Control of This Folder, Subfolders, and Files.
Add the Creator/Owner with Full Control of Subfolders and Files only.
Add the Authenticated Users group with both List Folder/Read Data and Create Folders/Append
Data This Folder Only rights. The Authenticated Users group can be replaced with the desired
group, but do not choose the Everyone group as a best practice. NOTE: Since I am using Samba4
I also needed to add, 'Traverse folder / execute file', 'Create files / write data', and 'Change
permissions'. This is important or else folder redirection will not work!
Now make sure you 'Apply' all changes and click 'OK'. Double, triple check these permissions as
this is the main cause of the folder redirection failure!

8. Right-click on the 'Users' folder and enable 'Always available offline'. This will allow offline
files to work and then sync any files once the client logs back onto the domain (good for laptop
users). Do not enable this if it violates your company's security policy.
9. As a precaution, restart Samba or reboot the server to make sure settings will stick. Once the
Samba4 server has rebooted, double check all the permissions again and make sure 'Always
available offline' is still enabled.
If everything appears to be okay, you can now create the GPO for folder redirection.

Create the Folder Redirection GPO

For the following to work it is assumed that you have configured your Samba 4 AD DC and have
created some Organizational Units for your domain. You should also have a test user created and
RSAT installed on your Windows client.
1. Log on to a Windows 7/8 client computer as a domain administrator that has been bound to
the domain.
2. Launch the 'Group Policy Management' console:
Start -> All Programs -> Administrative Tools -> Group Policy Management

3. Either select an already existing GPO that is applied to an OU or create a new one. Right-click
the GPO and choose 'Edit'. Then go to:
User Configuration -> Policies -> Windows Settings -> Folder Redirection

4. Right-click on 'Documents' and select 'Properties'. On the 'Target' tab configure as follows:
Setting: Basic - Redirect everyone's folder to the same location
Target folder location: Create a folder for each user under the root path
Root Path: \\samba.mydomain.com\Users

NOTE: You should notice a preview at the bottom showing 'For user Clair, this folder will be
redirected to: \\samba.mydomain.com\Users\Clair\Documents'
5. At the top select the 'Settings' tab and uncheck the 'Grant the User Exclusive Rights to
Documents' check box. Leave the remaining check boxes unchanged.
6. Click OK to complete the folder redirection configuration. A pop-up opens that states that this
policy will not display the Folder Redirection node if an administrator or user attempts to
configure or view this group policy using policy management tools from Windows 2000,

Windows XP, or Windows Server 2003. Click Yes to accept this warning and configure the
folder redirection.
7. Back in the 'Group Policy Management Editor' window, close the GPO.
8. Make sure that the GPO has 'Authenticated Users' (or another security group you're using)
listed in 'Security Filtering'.
9. Link the new GPO policy (if not done already) to an OU with a user account that can be used
to test this policy. This user must log on to a Windows Vista/7/8 computer to allow proper
processing of this policy.
10. Log on to a Windows Vista/7/8 system with the test user account. After the profile completes
loading, click the Start button, and locate and right-click the Documents folder and then select
Properties. Select the Location tab and verify the path. For example, for a user named Tom, the
path should be \\samba.mydomain.com\Users\Tom\Documents.
Your folder redirection should now work. If you continue to have your 'Documents' folder path
showing C:\Users\xxx and not the server share, it is most likely due to permissions on the root
'Users' folder. The NTFS permissions must be set correctly on the server share or folder
redirection will fail.
Having the correct permissions set on the server share also protects users from accessing another
user's files. If you set the permissions correctly as outlined in this howto you should be able to
test this successfully.

Troubleshooting
You may have to run 'gpupdate' as an admin from the command line on the windows 7 client.
However, a reboot should force the GPO to update on the Windows host.
I noticed I had to reboot the Win 7 client twice in a row after logging in as the test user. Once I
did this twice then my redirections worked.
You may need to reboot the Samba 4 AD DC for permissions to stick on the 'Users\username'
folders. This may not be necessary but worth an attempt if you experience problems.
http://www.linuxscrew.com/2008/07/04/openldap-samba-domain-controller-on-debian-or-ubuntu/

http://www.topbestalternatives.com/2014/top-5-alternatives-to-microsoft-active-directory/

http://www.mactech.com/articles/mactech/Vol.25/25.01/IntegratingOSXWithOpenLDAPandSambaPart2/index.html

http://www.shabangs.net/zentyal/centralizing-usergroup-management-for-mac-osx-with-zentyal/

http://blog.pluralsight.com/join-mac-to-windows-domain

http://macosx.com/threads/join-to-a-samba-pdc.273499/

https://4sysops.com/archives/how-to-join-a-mac-os-x-computer-to-active-directory/

My scenario:
My domain controller is on a remote location and I've got my router
(Mikrotik) setup to create a PPTP tunnel to the w2k8 server as a domain
user, NAT and routes setup accordingly, not covered here.
Desktop computer running OSX ML 10.8.4 (mine is a custom build)
Domain: example.local
PDC: samba.example.local (10.10.10.5) Samba4
BDC1: bdc.example.local (10.10.10.20) Samba4
BDC2: w2k8.example.local (10.10.10.15) W2K8 R2
Now for the exciting part
1. Configure OSX for Kerberos authentication
Copy krb5.conf from your Samba4 Domain controller to your Mac then
from a Terminal:
|$ sudo mv /Path/To/krb5.conf /etc/|
|$ sudo chown root:wheel /etc/krb5.conf|
|$ sudo chmod ||644| |/etc/krb5.conf|
Confirm that you can successfully obtain a Kerberos Ticket Granting
Ticket (TGT):
Use "kinit" with your username to generate a ticket. Use "kilst" to show
that your userID has a "krbtgt" ticket, then use "kdestroy" to
destroy/invalidate the ticket.
Last login: Sat Jun 22 20:59:53 on console
localhost:~ dave$ kinit david [PRESS ENTER]
david at EXAMPLE.LOCAL's Password: [ENTER USER'S PASSWORD]
localhost:~ dave$ klist [PRESS ENTER]
Credentials cache: API:501:5
Principal: david at EXAMPLE.LOCAL

Issued
Expires
Jun 23 15:02:28 2013 Jun 24 01:02:20 2013
krbtgt/EXAMPLE.LOCAL at EXAMPLE.LOCAL

Principal

localhost:~ dave$ kdestroy [PRESS ENTER]

localhost:~ dave$
If everything goes as expected you've got Kerberos working on your OSX ML
2) Configure Active Directory for Authorization
Enable Directory Services with Active Directory for Authorization
From a Finder window
- open /System/Library/CoreServices/Directory\ Utility.app
- Unlock, authenticate as the local admin.
- Select Active Directory
- On active directory forest nothing, it'll automatocally be filled
- On active directory domain input your domain name in our case
example.local
- On computerID input your computer's name
- Optional: check create mobile account at login (roaming profile-like
account I guess)
- Hit Bind button
- You'll be prompted for the administrator credentials, so input them
- Computer OU leave as default CN=Computers,DC=example,DC=local
- Check Use for authentication
- Check Use for Contacts (optional)
You'll see the litle thing spinning and if you've got your samba running
on another terminal you'll see how the computer account is created and
the workstation is joined to the domain and the Bind button will change
to Unbind, so if no errors showed you've just joined your Mac OSX 10.8.4
to your Samba 4 domain.
Enable logins for Network Users at OSX's Login Window:
- Apple Menu -> System Preferences
- Users & Groups Pref Pane
- Unlock the Pad Lock and Authenticate as local admin
- Click "Login Options"
- Turn OFF Automatic Login
- Set "Display login window as" to "Name and password"
- This setting can also be configured with a command. Run the following
line in the terminal to set the login window to show username and
password fields:
/usr/bin/defaults write /Library/Preferences/com.apple.loginwindow
SHOWFULLNAME -bool "TRUE"
- Enable "Allow network users to log in at login window",
- Click "Options..." and set "All Network users", Click DONE.
- Network Account Server: EXAMPLE server should be listed and showing a
green "gum drop" icon.
Confirm that you can identify Active Directory users:
localhost:~ dave$ id david
uid=2002409141(david) gid=2125881087(EXAPLE\Domain Users)

groups=2125881087(EXAPLE\Domain Users),704058724(EXAPLE\Group Policy

Creator Owners),1845177527(EXAPLE\Denied RODC Password Replication
Group),2097499953(EXAPLE\RAS and IAS Servers),316274987(EXAPLE\VPN
Users),620839770(EXAPLE\EXAPLE),12(everyone),62(netaccounts),863062263(EXAPLE
\Enterprise
Admins)
localhost:~ dave$
3) Enable Kerberos tickets at login
Applying the below configuration changes will enable OSX to
automatically obtain a Kerberos TGT for the logged in user. This is
quite handy when you want the user to be able to mount servers that are
"kerberized".
First make a backup copy of the file, edit the /etc/pam.d/authorization
file and add two additional lines to the top:
Insert these two additional lines:
auth
optional
default_principal
auth
sufficient

pam_krb5.so use_first_pass use_kcminit

pam_krb5.so use_first_pass default_principal

Use a Terminal.app text editor like 'vi' or 'nano', use a GUI editor
like TextWrangler, BBEdit, or TextMate, or use this terminal command:
/usr/bin/perl -pi -e 's/auth
optional
pam_krb5.so
use_first_pass use_kcminit/auth
optional
pam_krb5.so
use_first_pass use_kcminit default_principal
auth
sufficient
pam_krb5.so use_first_pass
default_principal/g' "/etc/pam.d/authorization"
Check the /etc/pam.d/authorization looks like the following example:
$ cat /etc/pam.d/authorization
# authorization: auth account
auth
optional
pam_krb5.so use_first_pass use_kcminit
default_principal
auth
sufficient
pam_krb5.so use_first_pass default_principal
auth
optional
pam_ntlm.so use_first_pass
auth
required
pam_opendirectory.so use_first_pass nullok
account
required
pam_opendirectory.so
4) Test Logins
Restart, login with your Penn State Access ID, open terminal and verify
that you have a ticket with "klist". Open System Preferences and
"Accounts" to verify you are a network user.
If you have some users that can login and others that can't, it's
possible that they are not yet listed in LDAP, OR their LDAP attributes
might be missing or have the wrong case. To check for a userid, do the
follow from the command line (terminal.app):
$ ldapsearch -h example.local -x -b "dc=example,dc=local" "uid=david" >
/tmp/ldap-data.txt
$ grep "uid:" /tmp/ldap-data.txt ; grep "psDirIDN:" /tmp/ldap-data.txt ;

grep "cn:" /tmp/ldap-data.txt ; grep "psUidNumber:" /tmp/ldap-data.txt

uid: david
psDirIDN: 367777
cn: JUSTIN DAVID GONZALEZ
psUidNumber: 493417
If any of the attributes do NOT appear, then there might be an issue
with the user's Active Directory record, with either missing attributes
or attributes with non matching case of letters.
5) Additional System Changes
LoginWindow StartupDelay
To help curb the loginwindow from showing the status of the EXAMPLE
server as red, you can use this command to tell the it to wait until DNS
is ready before starting. Doing this helps keep the "red dot of despair"
from appearing after boot.
sudo /usr/bin/defaults write /Library/Preferences/com.apple.loginwindow
StartupDelay -int 60
Voila, you can now have your Mac joined to your shinny samba4 DC and you
can login with any domain user and use your mac as usual with the added
benefit of the network shares and the thrill and pride that you made it
yourself.
I changed some of the steps to work on Samba / Active Directory as these
steps were all for LDAP.
Source:
https://wikispaces.psu.edu/display/clcmaclinuxwikipublic/Mountain+Lion+Authen
tication+Configuration#MountainLionAuthenticationConfiguration2)ConfigureLDAPforAuthorization
<https://wikispaces.psu.edu/display/clcmaclinuxwikipublic/Mountain+Lion+Authe
ntication+Configuration#MountainLionAuthenticationConfiguration2%29ConfigureLDAPforAuthorization>
Note: This was also on the PSU site but I haven't tried it yet as I
don't use scrren saver and Ialso hate it when I have to type a password
to get out of it.
I hope this comes in handy for someone out there.
Note 2: This is on a production environment for the company I do IT for
and it's been working like a charm.

http://apple.stackexchange.com/questions/21246/mac-os-binding-to-samba-pdc

https://hermanbanken.nl/2011/01/22/openldap-server-mac-osx-clients/

https://derflounder.wordpress.com/2012/03/02/binding-to-a-linux-based-openldap-server-from-10-6-xand-10-7-x/

http://vuksan.com/linux/mac-os-x-ldap/openldap-mac-os-x-authentication.html

http://hermanbanken.nl/2011/01/22/openldap-server-mac-osx-clients/#script

http://www.dummies.com/how-to/content/how-to-bind-mac-os-x-clients-to-a-shared-domain.html

https://www.hawaii.edu/bwiki/display/UHIAM/LDAP+authentication+for+Mac+OS+X+10.7

http://www.drchaos.com/configuring-apple-os-x-with-active-directory/

http://rajeev.name/2006/09/09/integrating-mac-os-x-into-unix-ldap-environment-with-nfs-homedirectories/

http://blog.michael.kuron-germany.de/2009/04/building-your-own-opendirectory-server-on-linux/