HOWTO to set up Samba as an Active Directory compatible Domain Controller

This document explains how to setup a simple Samba server as an Domain Controller compatible with Microsoft’s Active Directory, for use particularly by Microsoft Windows clients that are joined to the Active Directory Domain, for services such as Domain Logon. We refer to this capability as being an AD DC for short.

Video Demonstrations of This HOWTO

A set of demonstration videos is available that may provide a useful overview of the contents of this HOWTO.

A Note on Versions

Samba is developing rapidly. This HOWTO is frequently updated to reflect the latest changes in the Samba git repository. Please see the Samba 4.0 Release Planning more specifics on the release planning.

Samba OS Requirements

Because of the constantly changing and ever expanding nature of Linux, the OS Requirements for Samba4 have been moved from Step 2, to Samba_4/OS_Requirements This not only includes the required packages for a successful Samba AD DC deployment, but also the required file system features. Please consider that page as a prerequisite to a successful Samba AD DC setup.

Step 1: Download Samba

Currently, there are three methods to download the current Samba sources, either as a tarball of the latest stable release, or a development version via git or rsync. If you hope to work with the team on a development version to resolve issues you may hit via code changes, we recommend using the git method for downloading Samba, as it makes getting updates easier, and also allows you to integrate test patches from Samba developers more easily in case of problems. In the following examples we will assume that your top-level source is named samba-master. If you downloaded a tarball this will instead be based on the name of the tarball downloaded (e.g. samba-4.0.0 for the tarball samba-4.0.0.tar.gz). Also note that in the master branch the samba4 code in our current git tree is now located in the top level directory.

Downloading a tarball

If you wish to use a released version of Samba 4.0, you can download the latest Samba 4.0 tarball from the Samba website

Downloading via git

Git allows you to download the source tree via either the git or httpprotocols. In general, the git protocol is the preferred choice since it compresses the data being transferred. To download the source tree via git, run the following command:

$ git clone git://git.samba.org/samba.git samba-master

Alternatively, if you prefer to use the http protocol, run the following command:

$ git clone http://gitweb.samba.org/samba.git samba-master

Either command will create a directory called samba-master in the current directory.

Updating via git

If you already have downloaded the source tree via git and want to update the tree to the latest version, run the following command in your samba-master directory:

$ git pull

If you get an error like this: fatal: Unable to create ‘[…]/samba_master/.git/index.lock’: File exists. Run the command below to reset your tree. If you are having trouble compiling the source, it may be due to stale files. You can reset your git tree to correct these errors. To reset your git tree, run the following command in your samba-master directory:

$ git clean -x -f -d

Downloading via rsync

If git is not available to you, rsync is the next best choice. To download the source tree via rsync, run the following command:

$ rsync -avz samba.org::ftp/unpacked/samba_4_0_test/ samba-master

This command will create a directory called samba-master in the current directory, containing a checked out git repository. If you plan on using git to manage the tree, you will need to run the following commands in your samba-master directory:

$ cd samba-master/
$ rm .git/refs/tags/*
$ rm -r .git/refs/remotes/
$ git config remote.origin.url git://git.samba.org/samba.git
$ git config --add remote.origin.fetch +refs/tags/*:refs/tags/* (this line is optional)
$ git fetch

Note you can ignore this error from git fetch:

error: refs/heads/master does not point to a valid object!

Refer to the Updating via git instructions on how to manage the source tree with git.

Step 2: Compile Samba

To build Samba, run the following command in your samba-master directory:

 $ cd samba-master
 $ ./configure --enable-debug --enable-selftest
 $ make

The above command will setup Samba to install in /usr/local/samba. If you want Samba to install in a different directory, then you should use the –prefix option to configure. The reason we recommend using –enable-debug –enable-selftest for Samba is that it will include extra debug information that will help us diagnose problems in case of failures, and will also allow you to run our selftest make test to validate that Samba can behave correctly on your platform. Both of these are however, entirely optional.

Profiling with google-perftools

If you want to enable profiling support, change the configure command above to the following:

 $ LDFLAGS="-ltcmalloc -lprofiler" ./configure.developer

(This also works for CFLAGS)

Step 3: Install Samba

To install Samba, run the following command in your samba-master directory:

 $ make install

Note that this must be run as a user who has permission to write to the install directory, which defaults to /usr/local/samba. See Step 2: Compile Samba4 for instructions on how to change the install directory. For the rest of this HOWTO we will assume that you have installed Samba4 in the default location. All future Samba commands will stem from the /usr/local/samba/sbin and /usr/local/samba/bin directories. Please review the Release Notes for the version you have installed, it may contain important information not yet reflected in this HOWTO.

Upgrading

If you are upgrading from a previous release of Samba 4.x, be sure to review all the Release Notes for the new version, as well as the notes for all the interim versions.

Step 4: Provision Samba

The provision step sets up a basic user database, and is used when you are setting up your Samba server in its own domain. If you instead want to setup your Samba server as an additional domain controller in an existing domain, then please see the

Joining a Windows Domain Controller as an Additional DC in a Domain section on this page. If you want to migrate an existing Samba 3.x domain to Samba 4.0 as an AD DC, see the Migrating an Existing Samba 3 Domain to Samba 4 section on this page. For the rest of the HOWTO we will assume that your DNS domain name is samdom.example.com, your short (also known as NT4) domain name is samdom, your Samba server’s hostname is samba, and the IP Address of your Samba server is 192.168.1.2. The provision step must be run as a user with permission to write to the install directory.

 # /usr/local/samba/bin/samba-tool domain provision

This will run the provision tool interactively. For realm use something like samdom.example.com, for domain (it should suggest this) use samdom. If you run the previous command with a user who does not have write permission to the install directory, you will get an error similar to this:

tdb_open_ex: could not open file /usr/local/samba/private/sam.ldb.d/DC=SAMDOM,DC=EXAMPLE,DC=COM. ldb: Permission denied

You can pass options to samba-tool domain provision command. You can run it with the –help option to see a list of them. Note: As of September 11, 2012 (Samba4.0.0RC1) the provision command now uses Samba’s internal DNS server, if you would like the older behavior, add –dns-backend=BIND9_DLZ to the above provision command. Note: You may need to remove the /usr/local/samba/etc/smb.conf file if you are re-running the provision command. Note: If you use the –adminpass=’password’ switch, be aware that there are password complexity requirements, so if you are getting some odd error with provision, try a more complex password ie. ‘Pa$$w0rd’

Step 5: Starting Samba as an AD DC

If you are planning to run Samba as a production server, then just run the samba binary as root

# /usr/local/samba/sbin/samba

That will run Samba in ‘standard’ mode, which is suitable for production use. Samba doesn’t yet have init scripts included for each platform, but making one for your platform should not be difficult. There are some example scripts (for RedHat/Fedora, Debian and Ubuntu) on the Samba4/InitScript page. If you are running Samba as a developer you may find the following more useful:

# /usr/local/samba/sbin/samba -i -M single

This will start samba with all log messages printed to stdout, and restricting it to a single process. That mode of operation makes debugging samba with gdb easier. If you want to launch it under gdb, run samba as follows:

# gdb --args /usr/local/samba/sbin/samba -i -M single

Note that if you are running any Samba 3 smbd or nmbd processes they need to be stopped before starting samba from Samba 4. Take care when running Samba commands if you also have a previous version of Samba installed. To avoid inadvertently running the wrong version, you should consider putting the /usr/local/samba/bin and /usr/local/samba/sbin directories in the beginning of your PATH variable. You can see what version of Samba, if any, is in your PATH variable by running the following:

# samba -V

Step 6: Testing Samba as an AD DC

First check you have the right version of smbclient by running the following command:

 $ /usr/local/samba/bin/smbclient --version

This should show you a version starting with “Version 4.0.XXXXX”. Now run this command to list the shares on your Samba server:

$ /usr/local/samba/bin/smbclient -L localhost -U%

The output of the command should be similar to what is shown below:

       Sharename       Type      Comment
       ---------       ----      -------
       netlogon        Disk
       sysvol          Disk
       IPC$            IPC       IPC Service (Samba 4.0.0)

The netlogon and sysvol shares are basic shares needed for Active Directory server operation. If the command failed, restart samba by running the following:

# killall samba
# rm -v -- /usr/local/samba/var/run/smbd-fileserver.conf.pid
# /usr/local/samba/sbin/samba

To test that authentication is working, you should try to connect to the netlogon share using the Administrator password you set earlier:

$ smbclient //localhost/netlogon -UAdministrator%'p4$$word' -c 'ls'

The output of the command should be similar to what is shown below:

Domain=[SAMDOM] OS=[Unix] Server=[Samba 4.0.0beta9-GIT-e4677e3]
  .                                   D        0  Wed Sep 12 21:00:36 2012
  ..                                  D        0  Wed Sep 12 21:02:28 2012

Step 7: Configure DNS

A working DNS setup is essential to the correct operation of Samba. Without the right DNS entries, Kerberos won’t work, which in turn means that many of the basic features of Samba won’t work. It is worth spending some extra time to ensure your DNS setup is correct, as debugging problems caused by mis-configured DNS can take a lot of time later on.

DNS Server

Samba’s Internal DNS Server

If you specified –dns-backend=SAMBA_INTERNAL or did not specify any backend at all when you provisioned, there is no further setup required for the DNS server. However, you still need to configure your /etc/resolv.conf as shown in Configure /etc/resolv.conf If you want the internal DNS server to forward requests it isn’t responsible for, then add the following to your smb.conf:

 dns forwarder = {IP-Address of the DNS you want to forward to}

Warning: If you are running X windows on your machine, networkmanager could be spawning dnsmasq, check the logs for lines like:

Failed to bind to 0.0.0.0:53 TCP - NT_STATUS_ADDRESS_ALREADY_ASSOCIATED

If you need to disable this you can open /etc/NetworkManager/NetworkManager.conf in your favorite editor as root, and comment out the line dns=dnsmasq, then restart network-manager

Bind 9.8.0 or newer

If using BIND, the next step to get a working DNS setup for Samba is to start with the DNS configuration file that is created by the provision step or if you are using any of the other samba-tool options (classicupgrade for example) you can specify –dns-backend=BIND9_DLZ or –dns-backend=BIND9_FLATFILE. You can activate the configuration that the provision has created by including this configuration file in bind’s named configuration file. This file is typically located in the /etc/bind directory, please refer to your distribution documentation for the location of this file on your system. Once located, add the following line to the configuration file:

include "/usr/local/samba/private/named.conf";

Edit that file to uncomment the correct dlz plugin line, based on your version of bind. Open the /usr/local/samba/private/named.conf file in a text editor and follow the instructions inside. After adding that line you should restart your Bind server and check in the system logs for any problems. If available, you can run named-checkconf to help you fix any problems with your named configuration.

Bind 9.7.x

Users of bind-9.7.x are strongly encouraged to upgrade to bind-9.8 or bind-9.9. If this is not possible, refer to the section Configure Kerberos DNS Dynamic Updates for instructions on configuring bind-9.7.

Bind (All Versions)

A common problem you may encounter is that many modern Linux distributions activate ‘Apparmor’ or ‘SELinux’ by default, and these may be configured to deny access to Bind for your the named.conf and zone files created in the provision. If your Bind logs show that Bind is getting a access denied error accessing these files, please see your local system documentation for how to enable access to these files in Bind (hint: for Apparmor systems such as Ubuntu, the command aa-logprof may be useful). Note: On Debian systems, the zone auto-generation might detect and use 127.0.1.1 as the domain controller’s IP address. This will cause problems when trying to connect to the server from client machines. To fix this, you will need to adjust /usr/local/samba/private/named.conf by changing 127.0.1.1 to reflect the actual IP address of the server you’re setting up. Note: On Debian SID (bind9 package), /etc/bind/named.conf.options is missing and this will cause the named daemon to fail to start. To fix this either create an empty file, or comment out corresponding line in /etc/bind/named.conf. See your syslog messages for more information.

Configure /etc/resolv.conf

For all the local DNS lookups to resolve correctly, we need to modify the server’s /etc/resolv.conf file. The following example should be sufficient to have DNS resolve properly:

domain samdom.example.com
nameserver 192.168.1.2

Note: Remember to change the IP Address to your Samba server’s IP Address Note: If your server is set up to receive its IP configuration via DHCP, the /etc/resolv.conf file might be automatically updated. Refer to your distribution’s documentation on how to stop this behavior.

Testing DNS

To test that DNS is working properly, run the following commands and compare the output to what is shown:

$ host -t SRV _ldap._tcp.samdom.example.com.
_ldap._tcp.samdom.example.com has SRV record 0 100 389 samba.samdom.example.com.

$ host -t SRV _kerberos._udp.samdom.example.com.
_kerberos._udp.samdom.example.com has SRV record 0 100 88 samba.samdom.example.com.

$ host -t A samba.samdom.example.com.
samba.samdom.example.com has address 10.0.0.1

The answers you get should be similar to the ones above (adjusted for your DNS domain name and hostname). If you get any errors, carefully check your system logs to locate the problem.

Step 8: Configure Kerberos

Kerberos configuration is handled by the krb.conf file. This file is typically located in the /etc directory, please refer to your distribution documentation for the location of this file on your system. Replace the existing file, if any, with the sample from /usr/local/samba/share/setup/krb5.conf. Edit the file and replace ${REALM} with the value you chose for the –realm parameter of the provision command above, make sure to enter the realm in

uppercase letters:

[libdefaults]
    default_realm = SAMDOM.EXAMPLE.COM
    dns_lookup_realm = false
    dns_lookup_kdc = true

Testing Kerberos

The simplest test is to use the kinit command as follows:

$ kinit administrator@SAMDOM.EXAMPLE.COM
Password:

• Note: You must specify your domain realm SAMDOM.EXAMPLE.COM in uppercase letters

kinit will not give you any output. To verify that Kerberos is working, and that you received a ticket, run the following:

$ klist
Ticket cache: FILE:/tmp/krb5cc_1000
Default principal: administrator@SAMDOM.EXAMPLE.COM
 
Valid starting     Expires            Service principal
02/10/10 19:39:48  02/11/10 19:39:46  krbtgt/SAMDOM.EXAMPLE.COM@SAMDOM.EXAMPLE.COM

If either kinit or klist do not exist on your system, refer to Samba_4_OS_Requirements on how to install the necessary packages. You can also test Kerberos form a remote client, but you must first configure the client’s krb5.conf and resolve.conf as shown previously.

• Note: If you are using a client behind NAT then you have to add the following to the krb5.conf on the domain controller server:

[kdc]
    check-ticket-addresses = false

• Note: If provision generated you a password and you forgot it or didn’t get it saved in some way, you can use “samba-tool user setpassword administrator” as root to reset it.

Step 9: Configure DNS Dynamic Updates via Kerberos

Samba has the capability to automatically update the bind zone files via Kerberos. While this step is optional, it is highly recommended. If you are using Samba’s internal DNS server, no configuration is needed, and you can skip this step. To setup dynamic DNS updates you need to have a recent version of bind installed. It is highly recommended that you install at least version 9.8.0 as that version includes a set of patches from the Samba Team to make dynamic DNS updates much more robust and easier to configure. In the instructions below we give instructions for both bind 9.7.2 and 9.8.0, but please use 9.8.0 or later if at all possible. You can tell what version of bind you have using the command /usr/sbin/named -V. If your OS does not have bind-9.8.0 or later, then please consider getting it from a package provided by a 3rd party (for example, on Ubuntu there is a ppa available with the newer versions of bind).

Bind 9.8.0 or Later

When using bind-9.8.0 or later you need to add the following to the

options section of your bind config:
options {
 [...]
 tkey-gssapi-keytab "/usr/local/samba/private/dns.keytab";
 [...]
 };

This file is typically located in the /etc/bind directory, please refer to your distribution documentation for the location of this file on your system.

Bind 9.7.x

If you have bind-9.7.x (specifically 9.7.2 or later), then first determine if you can at all possibly run bind-9.8. You will have far fewer problems. Otherwise, follow these instructions. The Samba provision will have created a custom /usr/local/samba/private/named.conf.update configuration file. You need to include this file in your master named.conf to allow Samba/Kerberos DNS updates to automatically take place. Be advised that if you include this file in Bind versions that don’t support it, Bind will fail to start. You additionally need to set two environment variables when using bind-9.7.x:

 KEYTAB_FILE="/usr/local/samba/private/dns.keytab"
 KRB5_KTNAME="/usr/local/samba/private/dns.keytab"
 export KEYTAB_FILE
 export KRB5_KTNAME

These should be put in your settings file for bind. On Debian based systems (including Ubuntu) this is in /etc/default/bind9. On RedHat and SUSE derived systems it is in /etc/sysconfig/named, please refer to your distribution documentation for the correct location to set these environment variables. Strictly speaking you only either need KEYTAB_FILE or KRB5_KTNAME, but which you need depends on your distribution, so it’s easier to just set both. The dns.keytab must be readable by the bind server process. Generally, this is accomplished by executing:

  $ chown named:named /usr/local/samba/private/dns.keytab

(the provision should have setup these permissions for you automatically). Finally, you need to add the following to the options section of your bind config:

options {
 [...]
 tkey-gssapi-credential "DNS/server.samdom.example.com";
 tkey-domain "SAMDOM.EXAMPLE.COM";
 [...]
 };

The last part of the credential in the first line must match the dns name of the server you have set up. This file is typically located in the /etc/bind directory, please refer to your distribution documentation for the location of this file on your system.

Testing/Debugging Dynamic DNS Updates

The way the automatic DNS update in Samba works is that the provision will create a file /usr/local/samba/private/dns_update_list, which contains a list of DNS entries that Samba will try to dynamically update at startup and every 10 minutes thereafter using samba_dnsupdate utility. Updates will only happen if the DNS entries do not already exist. Remember that you need nsupdate utility from bind the distribution for all these to work. If you want to test or debug this process, then please run this as root:

/usr/local/samba/sbin/samba_dnsupdate --verbose --all-names

The command line options specified will force an update of all records in the dns_update_list, as well as output detailed information on what is being done.

Interaction With Apparmor or SELinux

If you are using Apparmor or SELinux, you have to ensure that the bind process has read access to the /usr/local/samba/private/dns.keytab file, the /usr/local/samba/private/named.conf file as well as read-write access to the /usr/local/samba/private/dns directory and it’s own zone file. The Samba provision tries to setup the permissions correctly for these files, but you may find you need to make changes in your Apparmor or SELinux configuration if you are running either of those. If you are using Apparmor then the aa-logprof command may help you add any missing permissions you need to add after you start Samba and bind for the first time after configuring them. Please refer to Step 11: Permissions, SELinux Labeling and Policy for more information.

Step 10: Configure NTP (Optional)

You require a recent ntpd version (=>4.2.6) that supports signed ntp. E. g. the version shipped with RHEL6 and Ubuntu < 11.04 are to old. The Ntpd of Debian Squeeze supports signed ntp. 1. Download ntpd from ntp.org (verify md5 sum) and compile it (add additionals ./configure parameters, if needed):

 $ tar -zxvf ntp-4.x.x.tar.gz
 $ cd ntp-4.x.x
 $ ./configure –enable-ntp-signd
 $ make
 $ make install

2a. If you already have a supported ntpd version and ntp.conf, you have to add/adjust only the following lines for minimal:

 ntpsigndsocket /usr/local/samba/var/lib/ntp_signd/
 restrict default mssntp

2b. If a minimal/simple ntp.conf is fine for you, then fill the file with the following:

 server 127.127.1.0
 fudge 127.127.1.0  stratum 12
 ntpsigndsocket /usr/local/samba/var/lib/ntp_signd/
 restrict default mssntp

2c. A more complex ntp.conf is the following:

 server 127.127.1.0
 fudge  127.127.1.0 stratum 10
 server 0.pool.ntp.org  iburst prefer
 server 1.pool.ntp.org  iburst prefer
 driftfile /var/lib/ntp/ntp.drift
 logfile /var/log/ntp
 ntpsigndsocket /usr/local/samba/var/lib/ntp_signd/
 restrict default kod nomodify notrap nopeer mssntp
 restrict 127.0.0.1
 restrict 0.pool.ntp.org mask 255.255.255.255 nomodify notrap nopeer noquery
 restrict 1.pool.ntp.org mask 255.255.255.255 nomodify notrap nopeer noquery

For explanation: This config allows clients to receive time from this NTP host, localhost doesn’t have any restrictions, and the servers we receive the time from ,are not allowed to do anything else than providing the time to us. For mor information about ntpd access controll, see http://support.ntp.org/bin/view/Support/AccessRestrictions 3. On members of the domain you don’t have to configure anything. Per default they will receive the time from the DC that has the FSMO role PDC.

Step 11: Permissions, SELinux Labeling and Policy

These instructions are intended for RedHat 6.X, but may serve as a guide for other distributions/versions. There is still more work to be done in regards of creating a Samba 4 specific SELinux policy but for now you should be able to have everything working without disabling SELinux. For all the commands below, make sure you have set the following environment variable:

MYREALM="samdom.example.com"

Bind Set Permissions:

chown named:named /usr/local/samba/private/dns
chgrp named /usr/local/samba/private/dns.keytab
chmod g+r /usr/local/samba/private/dns.keytab
chmod 775 /usr/local/samba/private/dns

Label files:

chcon -t named_conf_t /usr/local/samba/private/dns.keytab
chcon -t named_conf_t /usr/local/samba/private/named.conf.update
chcon -t named_var_run_t /usr/local/samba/private/dns
chcon -t named_var_run_t /usr/local/samba/private/dns/${MYREALM}.zone

Set Label Persistence:

semanage fcontext -a -t named_conf_t /usr/local/samba/private/dns.keytab
semanage fcontext -a -t named_conf_t /usr/local/samba/private/named.conf
semanage fcontext -a -t named_conf_t /usr/local/samba/private/named.conf.update
semanage fcontext -a -t named_var_run_t /usr/local/samba/private/dns
semanage fcontext -a -t named_var_run_t /usr/local/samba/private/dns/${MYREALM}.zone
semanage fcontext -a -t named_var_run_t /usr/local/samba/private/dns/${MYREALM}.zone.jnl
semanage fcontext -a -t ntpd_t /usr/local/samba/var/run/ntp_signd

NTP

Set Permissions:

$ chgrp ntp /usr/local/samba/var/lib/ntp_signd

Multiple attempts to set the context for ntp failed so the below policy was needed for windows clients time sync after joining the DOMAIN.

$ chcon -u system_u -t ntpd_t /usr/local/samba/var/run/ntp_signd
$ chcon -u system_u -t ntpd_t /usr/local/samba/var/run/
$ chcon -t ntpd_t /usr/local/samba/var/run/ntp_signd/socket

samba4.te policy:

module samba4 1.0;
  
  
require {
   type ntpd_t;
   type usr_t;
   type initrc_t;
   class sock_file write;
   class unix_stream_socket connectto;
}
  
#============= ntpd_t ==============
allow ntpd_t usr_t:sock_file write;
  
#============= ntpd_t ==============
allow ntpd_t initrc_t:unix_stream_socket connectto;

Check and load policy:

$ checkmodule -M -m -o samba4.mod samba4.te 
$ semodule_package -o samba4.pp -m samba4.mod
$ semodule -i samba4.pp

Step 12: Setup a File Share

The provisioning will create a very simple /usr/local/samba/etc/smb.conf file with no non-system shares by default. For the server to be useful you, will need to update it to have at least one share. For example:

[test]
      path = /data/test
      comment = Test Share
      read only = no

• Note: In older alpha versions of Samba 4, you need to restart Samba to make new shares visible.

Step 13: Setup a Printer share

You can share any printers already configured with CUPS, keep in mind that Samba communicates with CUPS via sockets, so you don’t need to set any configure any special permissions beyond a listen directive for the CUPS socket.

Basic Print Sharing

1. Create a print spool directory, and set the permissions properly. This is where Samba will store temporary files related to print documents:

mkdir /usr/local/samba/var/spool
chmod 1777 /usr/local/samba/var/spool

1. Configure samba to use it, by adding the following to /usr/local/samba/etc/smb.conf:

[printers]
    comment = All Printers
    path = /usr/local/samba/var/spool
    browseable = Yes
    read only = No
    printable = Yes

Point and Print Drivers

For the sake of convenience, Windows clients can query the server that is sharing a printer for a print driver. To enable this functionality in Samba, we have to create a special print$ file share.

1. Create the print file share directory, and architecture sub-directories:

mkdir -p /usr/local/samba/var/print/{COLOR,IA64,W32ALPHA,W32MIPS,W32PPC,W32X86,WIN40,x64}

1. Configure samba to use it, by adding the following to /usr/local/samba/etc/smb.conf:

[print$]
    comment = Point and Print Printer Drivers
    path = /usr/local/samba/var/print
    read only = No

1. Log in as a Domain Administrator on a client computer
2. Click Start -> Run ‘\\samba\’
3. In the list of shares, Double-Click ‘Printers and Faxes’
4. Click File -> Server Properties
5. On the Drivers Tab, Click ‘Add…’, then ‘Next’
6. In the following prompts, choose the driver you would like to install, and click ‘Next’
7. Choose the architectures you are installing the drivers for. Be aware if you choose an architecture that the client computer does not have the driver for you will be prompted to provide a disk with the drivers.
8. Close the Server Driver Dialog box
9. Right-click on the printer the driver is for and choose Properties
10. On the Advanced tab, change the Driver drop-down box to the driver you just installed

Note: Filesystem Support

This information has been included in the

Samba_4_OS_Requirements#File_System_Support