diff --git a/kerberox.yml b/kerberox.yml
index 764359f..edafcba 100644
--- a/kerberox.yml
+++ b/kerberox.yml
@@ -47,6 +47,6 @@
     - dhcp-dns-dnsmasq
     - tftp-netboot-installer
     - apt-cacher
-    - krb5-kdc-ldap
-    - nfs-server
+    - { role: krb5-kdc-ldap, when: not run_in_installer|default(false)|bool }
+    - { role: nfs-server, when: not run_in_installer|default(false)|bool }
     - prepare4clients
diff --git a/roles/krb5-kdc-ldap/tasks/main.yml b/roles/krb5-kdc-ldap/tasks/main.yml
index 59d289f..72322f4 100644
--- a/roles/krb5-kdc-ldap/tasks/main.yml
+++ b/roles/krb5-kdc-ldap/tasks/main.yml
@@ -36,7 +36,8 @@
 
 - name: prepare kerberos.openldap.ldif
   shell: gunzip -c /usr/share/doc/krb5-kdc-ldap/kerberos.openldap.ldif.gz > /etc/ldap/schema/kerberos.openldap.ldif
-  when: not krb5kdc.stat.exists
+  args:
+    creates: /etc/ldap/schema/kerberos.openldap.ldif
 
 - name: activate kerberos.openldap.ldif schema
   command: ldapadd  -Y EXTERNAL -H ldapi:/// -f /etc/ldap/schema/kerberos.openldap.ldif
@@ -48,7 +49,6 @@
     objectClass: krbContainer
     bind_dn: "cn=admin,{{ basedn }}"
     bind_pw: "{{ ldap_admin_pwd }}"
-  when: not krb5kdc.stat.exists
 
 - name: make sure we have a kdc object
   ldap_entry:
@@ -60,7 +60,6 @@
       userPassword: "{{ kdc_service_pwd }}"
     bind_dn: "cn=admin,{{ basedn }}"
     bind_pw: "{{ ldap_admin_pwd }}"
-  when: not krb5kdc.stat.exists
 
 - name: make sure we have a kadmin object
   ldap_entry:
@@ -72,7 +71,6 @@
       userPassword: "{{ kadmin_service_pwd }}"
     bind_dn: "cn=admin,{{ basedn }}"
     bind_pw: "{{ ldap_admin_pwd }}"
-  when: not krb5kdc.stat.exists
 
 - name: modify ACLs to account for KDC
   ldap_attr:
@@ -110,7 +108,13 @@
   ldap_attr:
     dn: "olcDatabase={1}mdb,cn=config"
     name: olcDbIndex
-    values: krbPrincipalName pres,sub,eq
+    values:
+      - objectClass eq
+      - cn,uid eq
+      - uidNumber,gidNumber eq
+      - member,memberUid eq
+      - krbPrincipalName pres,sub,eq
+    state: exact
   when: not krb5kdc.stat.exists
 
 - name: prepare password for kdc
@@ -169,8 +173,6 @@
     - ldap
   when: not krb5kdc.stat.exists
 
-##############
-
 - name: kerberize dummy user foo
   command: kadmin.local -q 'add_principal -pw "{{ foo_pwd }}" -x dn="uid=foo,ou=people,{{ basedn }}" foo'
   register: kerberize_result
@@ -178,8 +180,6 @@
   no_log: true
   when: foo_pwd is defined and foo_pwd | length > 0
 
-#############################
-
 - name: allow services in firewalld
   firewalld:
     zone: internal
@@ -190,14 +190,3 @@
     - kerberos
     - kadmin
     - kpasswd
-  when: not run_in_installer|default(false)|bool
-
-## Use firewall-offline-cmd when run during installation:
-
-- name: allow services in firewalld
-  command: >-
-    firewall-offline-cmd --zone=internal
-    --add-service=kerberos
-    --add-service=kadmin
-    --add-service=kpasswd
-  when: run_in_installer|default(false)|bool
diff --git a/roles/ldap/tasks/main.yml b/roles/ldap/tasks/main.yml
index 131e8c9..eeb7b97 100644
--- a/roles/ldap/tasks/main.yml
+++ b/roles/ldap/tasks/main.yml
@@ -5,7 +5,7 @@
   when: ansible_domain | length == 0
 
 - name: check if slapd is already there
-  stat: path=/usr/sbin/slapd
+  stat: path=/etc/ldap/slapd.d/slapd-config.ldif
   register: slapd
 
 - name: preseed ldap domain
@@ -53,7 +53,7 @@
     src: slapd-config.ldif
     dest: /etc/ldap/slapd.d/slapd-config.ldif
   when: not slapd.stat.exists
-  
+
 - name: activate ppolicy schema
   command: ldapadd  -Y EXTERNAL -H ldapi:/// -f /etc/ldap/schema/ppolicy.ldif
   when: not slapd.stat.exists
@@ -116,18 +116,9 @@
     bind_pw: "{{ ldap_admin_pwd }}"
   when: foo_pwd is defined and foo_pwd | length > 0
 
-#############################
-
 - name: allow ldap service in firewalld
   firewalld:
     zone: internal
     service: ldap
     permanent: yes
     state: enabled
-  when: not run_in_installer|default(false)|bool
-
-## Use firewall-offline-cmd when run during installation:
-
-- name: allow ldap service in firewalld
-  command: "firewall-offline-cmd --zone=internal --add-service=ldap"
-  when: run_in_installer|default(false)|bool
diff --git a/roles/nfs-server/tasks/main.yml b/roles/nfs-server/tasks/main.yml
index 2f5448f..d54fdbe 100644
--- a/roles/nfs-server/tasks/main.yml
+++ b/roles/nfs-server/tasks/main.yml
@@ -60,7 +60,7 @@
   when: kadmin.stat.exists
 
 - name: copy home from /etc/skel for dummy user foo
-  shell: cp -r /etc/skel {{ lan_homes }}/foo && chmod -R o-rwx {{ lan_homes }}/foo && chown -R foo:foo {{ lan_homes }}/foo
+  shell: cp -r /etc/skel {{ lan_homes }}/foo && chmod -R o-rwx {{ lan_homes }}/foo && chown -R 10000:10000 {{ lan_homes }}/foo
   args:
     creates: "{{ lan_homes }}/foo"
   when: foo_pwd is defined and foo_pwd | length > 0
@@ -76,18 +76,9 @@
   notify: "restart dnsmasq"
   when: dnsmasq.stat.exists
 
-#############################
-
 - name: allow nfs service in firewalld
   firewalld:
     zone: internal
     service: nfs
     permanent: yes
     state: enabled
-  when: not run_in_installer|default(false)|bool
-
-## Use firewall-offline-cmd when run during installation:
-
-- name: allow nfs service in firewalld
-  command: "firewall-offline-cmd --zone=internal --add-service=nfs"
-  when: run_in_installer|default(false)|bool