diff --git a/roles/lan-client/tasks/main.yml b/roles/lan-client/tasks/main.yml
index 9b793a3..e394016 100644
--- a/roles/lan-client/tasks/main.yml
+++ b/roles/lan-client/tasks/main.yml
@@ -93,6 +93,6 @@
 - name: automount
   lineinfile:
     dest: /etc/fstab
-    line: "{{ nfs_server}}:/home  {{ lan_homes }}  nfs4  sec=krb5p,_netdev,noauto,x-systemd.automount,x-systemd.idle-timeout=60  0  0"
+    line: "{{ nfs_server }}:/home  {{ lan_homes }}  nfs4  sec=krb5p,_netdev,noauto,x-systemd.automount,x-systemd.idle-timeout=60  0  0"
   notify: reload systemd
   when: not run_in_installer|default(false)|bool
diff --git a/roles/ldap/tasks/setup.yml b/roles/ldap/tasks/setup.yml
index 43067eb..e01f556 100644
--- a/roles/ldap/tasks/setup.yml
+++ b/roles/ldap/tasks/setup.yml
@@ -91,4 +91,8 @@
     regexp: "^(TLS_CACERT\\s+/etc/ssl/certs/ca-certificates.crt)$"
     replace: '#\1\nTLS_CACERT\t{{ TLSCertificateFile }}'
 
+- name: enable pam-mkhomedir
+  command: pam-auth-update --enable mkhomedir
+  when: foo_pwd is defined and foo_pwd | length > 0
+
 ## Use 'sudo ldapvi -Y EXTERNAL -h ldapi:/// -b "cn=config"' to modify certificate and key.
diff --git a/roles/samba-ldap/defaults/main.yml b/roles/samba-ldap/defaults/main.yml
new file mode 100644
index 0000000..575579c
--- /dev/null
+++ b/roles/samba-ldap/defaults/main.yml
@@ -0,0 +1,4 @@
+basedn: "{{ 'dc=' + ( ansible_domain | replace('^.','') | replace('.$','') | replace('.',',dc=')) }}"
+ldap_server: ldap
+min_id_sssd: 5000
+max_id_sssd: 20000
diff --git a/roles/samba-ldap/handlers/main.yml b/roles/samba-ldap/handlers/main.yml
new file mode 100644
index 0000000..99844ab
--- /dev/null
+++ b/roles/samba-ldap/handlers/main.yml
@@ -0,0 +1,8 @@
+- name: restart sssd
+  service: name=sssd state=restarted enabled=yes
+  listen: "restart sssd"
+
+- name: restart smbd
+  service: name=smbd state=restarted enabled=yes
+  listen: "restart smbd"
+
diff --git a/roles/samba-ldap/meta/main.yml b/roles/samba-ldap/meta/main.yml
new file mode 100644
index 0000000..b19fb35
--- /dev/null
+++ b/roles/samba-ldap/meta/main.yml
@@ -0,0 +1,3 @@
+---
+dependencies:
+  - role: ldap
diff --git a/roles/samba-ldap/tasks/main.yml b/roles/samba-ldap/tasks/main.yml
new file mode 100644
index 0000000..cf0e871
--- /dev/null
+++ b/roles/samba-ldap/tasks/main.yml
@@ -0,0 +1,118 @@
+## Install and configure samba-ldap.
+---
+- name: check if samba is already there
+  stat: path=/etc/ldap/schema/samba.ldif
+  register: samba_ldap
+
+- name: install samba and provide samba schema
+  apt:
+    name:
+      - samba
+      - sssd-ldap
+    state: latest
+
+
+- name: provide identities from LDAP
+  template:
+    src: sssd.conf.j2
+    dest: /etc/sssd/sssd.conf
+    mode: 0600
+  notify: restart sssd
+
+- meta: flush_handlers
+
+
+- name: prepare samba schema
+  command: cp /usr/share/doc/samba/examples/LDAP/samba.ldif /etc/ldap/schema/
+  args:
+    creates: /etc/ldap/schema/samba.ldif
+
+- name: activate samba.ldif schema
+  command: ldapadd -Y EXTERNAL -H ldapi:/// -f /etc/ldap/schema/samba.ldif
+  when: not samba_ldap.stat.exists
+
+- name: add indexes to LDAP
+  ldap_attr:
+    dn: "olcDatabase={1}mdb,cn=config"
+    name: olcDbIndex
+    values:
+      - sambaSID eq
+      - sambaPrimaryGroupSID eq
+      - sambaGroupType eq
+      - sambaSIDList eq
+      - sambaDomainName eq
+    state: present
+
+- name: modify ACLs to account for Samba
+  ldap_attr:
+    dn: "olcDatabase={1}mdb,cn=config"
+    name: olcAccess
+    values:
+      - >-
+        to attrs=userPassword
+        by self write
+        by anonymous auth
+        by * none
+      - >-
+        to attrs=shadowLastChange
+        by self write
+        by * read
+      - >-
+        to attrs=sambaNTPassword
+        by dn.exact=cn=admin,{{ basedn }} write
+        by self write
+        by * none
+      - >-
+        to * by * read
+    state: exact
+
+- name: customize smb.conf
+  blockinfile:
+    dest: /etc/samba/smb.conf
+    insertafter: '^\s*server role ='
+    block: |
+      ####### LDAP Settings #######
+      passdb backend = ldapsam:ldapi:///
+      ldap suffix = {{ basedn }}
+      ldap user suffix = ou=people
+      ldap group suffix = ou=groups
+      ldap machine suffix = ou=computers
+      ldap idmap suffix = ou=idmap
+      ldap admin dn = cn=admin,{{ basedn }}
+      ldap ssl = no
+      ldap passwd sync = yes
+  notify: restart smbd
+
+
+- name: slurp admin password for samba setup
+  slurp:
+    src: "{{ ldap_admin_pwd_file }}"
+  register: ldap_admin_pwd 
+  no_log: true  
+  when: not samba_ldap.stat.exists
+
+- name: make samba admin password available to smbd
+  command: smbpasswd -w "{{ ldap_admin_pwd['content'] | b64decode | replace('\n', '') }}"
+  no_log: true
+  notify: restart smbd
+  when: not samba_ldap.stat.exists
+
+- meta: flush_handlers
+
+- name: add samba attributes to dummy user foo 
+  command:
+    cmd: smbpasswd -s -a foo
+    stdin: "{{ foo_pwd }}\n{{ foo_pwd }}"
+  when: foo_pwd is defined and foo_pwd | length > 0
+
+########################
+
+- name: allow services in firewalld
+  firewalld:
+    zone: internal
+    service: "{{ item }}"
+    permanent: yes
+    immediate: yes
+    state: enabled
+  with_items:
+    - samba
diff --git a/roles/samba-ldap/templates/sssd.conf.j2 b/roles/samba-ldap/templates/sssd.conf.j2
new file mode 100644
index 0000000..eb6d50e
--- /dev/null
+++ b/roles/samba-ldap/templates/sssd.conf.j2
@@ -0,0 +1,20 @@
+[sssd]
+domains = LDAP
+config_file_version = 2
+
+[nss]
+filter_groups = root
+filter_users = root
+
+[pam]
+
+[domain/LDAP]
+id_provider = ldap
+ldap_uri = ldap://{{ ldap_server }}/
+ldap_search_base = {{ basedn }}
+
+auth_provider = ldap
+cache_credentials = true
+
+min_id = {{ min_id_sssd }}
+max_id = {{ max_id_sssd }}
diff --git a/sambox.yml b/sambox.yml
new file mode 100644
index 0000000..6160297
--- /dev/null
+++ b/sambox.yml
@@ -0,0 +1,55 @@
+---
+## This playbook deploys the sambox server.  Add 'hostname=XXX' and 'domain=YYY'
+## to the installer boot parameters to set hostname and domain.
+## 
+
+
+- name: apply configuration to the sambox server
+  hosts: all
+  remote_user: ansible
+  become: yes
+
+  vars:
+    ## This interface provides the default route:
+    if_wan: "{{ ansible_default_ipv4.interface }}"
+
+    ## Use the first remaining interface for the LAN:
+    if_lan: "{{ ansible_interfaces | difference([if_wan, 'lo']) | first }}"
+
+    ## LAN IP address range:
+    ipaddr_lan: 192.168.0.10/24
+    dhcp_range: 192.168.0.50,192.168.0.99,2h
+    in_inventory: 192.168.0.[50:99]
+
+    di_dist: "{{ ansible_distribution_release }}"
+    di_version: 10  #"{{ ansible_distribution_major_version }}"
+    di_pkg: "debian-installer-{{ di_version }}-netboot-amd64"
+
+    ansible_user: ansible
+    repo_dir: "/home/{{ ansible_user }}/debian-lan"
+    ansible_python_interpreter: "/usr/bin/python3"  ## needed for firewalld module
+
+
+  vars_prompt:
+    - name: "foo_pwd"
+      prompt:
+        In case you would like to prepare a test user 'foo' and have
+        not done so yet, provide foo's password here.  Leave empty to
+        just continue
+      private: yes
+
+
+  pre_tasks:
+    - name: validate if interfaces are available
+      fail:
+        msg: "Interfaces {{ ansible_interfaces }} found. WAN: '{{ if_wan }}', LAN: '{{ if_lan }}'.  Two NICs needed."
+      when: (if_lan not in ansible_interfaces) or (if_wan not in ansible_interfaces) or (if_lan == if_wan)
+
+
+  roles:
+    - up2date-debian
+    - two-interface-firewalld
+    - dhcp-dns-dnsmasq
+    - tftp-netboot-installer
+    - apt-cacher
+    - samba-ldap