samba - Sep 2017 - Questions Integrating a Samba DC with an existing FreeIPA/RH IDM domain

Hi!

Im not sure this is the right place to post this but I am seeking some
advice on how to correctly approach setting up a Samba domain to
integrate with our FreeIPA domain so that users maintain the same
authentication information and gain the added advantage of having
access to shares in Samba.

We have a remote DC where RHEL7.3 and Centos 7.3 FreeIPA/ IDM servers
manage the DNS, user accounts, sudo, user directories and roles.
(FreeIPA/RHEL IDM because two masters are RHEL 7.3 and the others,
CentOS 7.3 servers, with an NFS server service home directories.

OpenVPN is integrated with IPA through PAM so users' operate with some
kind of single sign-on where the same account details used to login to
the FreeIPA/IDM domain what OpenVPN expects to see. If the user's
password expires in FreeIPA/IDM, then the openvpn client does not
work.

We now need to have a home office where users are expected to have AD
manage their desktops ( a mix of windows and Ubuntu/Fedora/Centos/RHEL
desktops).
So at the minimum, users should be able to login using their FreeIPA
account details, and have their FreeIPA remote homedirs mapped
locally.

How best can I setup a Samba domain such that this can happen?
Please is this possible?

Thanks for any advice!