diff --git a/lmn-desktop.yml b/lmn-desktop.yml
index bdfd4d1..9c8b6fc 100644
--- a/lmn-desktop.yml
+++ b/lmn-desktop.yml
@@ -12,6 +12,14 @@
       register: adpw
       no_log: true
       when: "ansible_cmdline.adpw is not defined"
+    - name: preseed apparmor
+      debconf:
+        name: apparmor
+        question: apparmor/homedirs
+        value: >-
+          /srv/samba/schools/default-school/teachers/
+          /srv/samba/schools/default-school/students/*/
+        vtype: string
 
   vars:
     domain: "{{ ansible_domain }}"
@@ -23,6 +31,7 @@
       - console-setup
       - krb5-user
       - unattended-upgrades
+      - debconf-utils
     extra_pkgs_bpo: [] # [ linux-image-amd64 ]
     ansible_python_interpreter: "/usr/bin/python3"
 
diff --git a/roles/lmn_kde/tasks/main.yml b/roles/lmn_kde/tasks/main.yml
index c926b57..6923e8b 100644
--- a/roles/lmn_kde/tasks/main.yml
+++ b/roles/lmn_kde/tasks/main.yml
@@ -49,6 +49,12 @@
     default_release: "{{ ansible_distribution_release }}-backports"
   when: ansible_distribution_release == 'bullseye'
 
+- name: Add home dirs to apparmor
+  lineinfile:
+    dest: /etc/apparmor.d/tunables/home.d/ubuntu
+    line: >-
+      @{HOMEDIRS}+=/srv/samba/schools/default-school/teachers/
+      /srv/samba/schools/default-school/students/*/
 
 - name: set homepage
   lineinfile:
diff --git a/roles/lmn_mount/tasks/main.yml b/roles/lmn_mount/tasks/main.yml
index edbf515..34c7421 100644
--- a/roles/lmn_mount/tasks/main.yml
+++ b/roles/lmn_mount/tasks/main.yml
@@ -17,7 +17,7 @@
         server="{{ smb_server }}"
         path="{{ smb_share }}"
         mountpoint="/srv/samba/schools/default-school"
-        options="sec=krb5i,cruid=%(USERUID),user=%(USER),gid=1010,file_mode=0770,dir_mode=0770"
+        options="sec=krb5i,cruid=%(USERUID),user=%(USER),gid=1010,file_mode=0770,dir_mode=0770,mfsymlinks"
       ><not><or><user>root</user><user>ansible</user><user>Debian-gdm</user><user>sddm</user><user>virti</user></or></not></volume>
     insertafter: "<!-- Volume definitions -->"