diff --git a/roles/netbootinstaller/tasks/main.yml b/roles/netbootinstaller/tasks/main.yml
index 4902791..1296b0b 100644
--- a/roles/netbootinstaller/tasks/main.yml
+++ b/roles/netbootinstaller/tasks/main.yml
@@ -9,6 +9,7 @@
     name:
       - di-netboot-assistant
       - "{{ di_pkg }}"
+    state: latest # noqa package-latest
   notify:
     - bind mount images
     - rebuild di-netboot-assistant menu
@@ -26,3 +27,4 @@
     path: /etc/hosts
     regexp: '^(127\.0\.1\.1.*)$'
     replace: '#\1\n{{ ipaddr_lan | ipaddr("address") }} {{ ansible_hostname }}.{{ ansible_domain }} {{ ansible_hostname }}'
+  when: ipaddr_lan is defined
diff --git a/roles/sambaldap/tasks/main.yml b/roles/sambaldap/tasks/main.yml
index ce96c14..3176861 100644
--- a/roles/sambaldap/tasks/main.yml
+++ b/roles/sambaldap/tasks/main.yml
@@ -89,6 +89,15 @@
     before: '\[.+\]'
   notify: restart smbd
 
+- name: make smb homes writable
+  replace:
+    path: /etc/samba/smb.conf
+    regexp: '^(\s*create mask =) 0700'
+    replace: '\1 0600'
+    after: '\[homes\]'
+    before: '\[.+\]'
+  notify: restart smbd
+
 - name: slurp admin password for samba setup
   slurp:
     src: "{{ ldap_admin_pwd_file }}"
diff --git a/roles/smbsshfsclient/tasks/main.yml b/roles/smbsshfsclient/tasks/main.yml
index 4dcf1e1..922c34d 100644
--- a/roles/smbsshfsclient/tasks/main.yml
+++ b/roles/smbsshfsclient/tasks/main.yml
@@ -6,6 +6,7 @@
       - libpam-mount
       - cifs-utils
       - sshfs
+      - hxtools
     state: latest # noqa package-latest
 
 - name: add URI to ldap.conf
@@ -32,7 +33,7 @@
     mode: 0600
   notify: restart sssd
 
-- name: configure pam_mount
+- name: configure pam_mount # interesting options: posix,mfsymlinks,nomapposix,noperm
   blockinfile:
     dest: /etc/security/pam_mount.conf.xml
     block: |
@@ -41,7 +42,7 @@
         server="{{ home_server }}"
         path="%(USER)"
         mountpoint="/home/lan/%(USER)"
-        options="dir_mode=0750,file_mode=0640"
+        options="idsfromsid,modefromsid,mfsymlinks"
       ><not><or><user>root</user><user>ansible</user><user>Debian-gdm</user></or></not></volume -->
       <volume
         fstype="fuse"
@@ -52,6 +53,12 @@
       ><not><or><user>root</user><user>ansible</user><user>Debian-gdm</user></or></not></volume>
     insertafter: "<!-- Volume definitions -->"
 
+- name: make sure umount is not blocked
+  replace:
+    path: /etc/security/pam_mount.conf.xml
+    regexp: '<logout wait="0".*'
+    replace: '<logout wait="3000" hup="yes" term="yes" kill="yes"/>'
+
 - name: make sure .ssh exists
   file:
     path: /root/.ssh