diff --git a/roles/nfs-server/defaults/main.yml b/roles/nfs-server/defaults/main.yml
new file mode 100644
index 0000000..08061b3
--- /dev/null
+++ b/roles/nfs-server/defaults/main.yml
@@ -0,0 +1,4 @@
+export_root: /srv/nfs4
+export_dir:  /home/lan
+ldap_domain: "{{ ansible_domain | default('intern', true) }}"
+basedn: "{{ 'dc=' + ( ldap_domain | replace('^.','') | replace('.$','') | replace('.',',dc=')) }}"
diff --git a/roles/nfs-server/handlers/main.yml b/roles/nfs-server/handlers/main.yml
new file mode 100644
index 0000000..bc2c23b
--- /dev/null
+++ b/roles/nfs-server/handlers/main.yml
@@ -0,0 +1,11 @@
+- name: restart nfs-kernel-server
+  service: name=nfs-kernel-server state=restarted enabled=yes
+  listen: "restart nfs-kernel-server"
+
+- name: restart rpc-svcgssd
+  service: name=rpc-svcgssd state=restarted enabled=yes
+  listen: "restart rpc-svcgssd"
+
+- name: restart sssd
+  service: name=sssd state=restarted enabled=yes
+  listen: "restart sssd"
diff --git a/roles/nfs-server/tasks/main.yml b/roles/nfs-server/tasks/main.yml
new file mode 100644
index 0000000..5b6a28a
--- /dev/null
+++ b/roles/nfs-server/tasks/main.yml
@@ -0,0 +1,65 @@
+## Install and configure nfs-server
+---
+- name: check if there are installing
+  stat: path=/etc/exports
+  register: exports
+
+- name: install nfs-kernel-server
+  apt:
+    name:
+      - nfs-kernel-server
+    state: latest
+
+- name: make sure the export exists
+  file: path={{ export_root }}/home/ state=directory recurse=yes
+
+- name: make sure the export exists
+  file: path={{ export_dir }} state=directory recurse=yes
+
+- name: bind mount exported dir
+  mount:
+    path: "{{ export_root }}/home/"
+    src: "{{ export_dir }}"
+    fstype: none
+    state: mounted
+    opts: bind
+
+- name: configure exports
+  blockinfile:
+    dest: /etc/exports
+    insertbefore: EOF
+    block: |
+      {{ export_root }}         *(sec=krb5p:krb5i:krb5:sys,rw,fsid=0,crossmnt,no_subtree_check)
+      {{ export_root }}/home/   *(sec=krb5p:krb5i,rw,no_subtree_check)
+  notify: "restart nfs-kernel-server"
+
+
+
+- name: check if there is a local kadmin
+  stat: path=/usr/sbin/kadmin.local
+  register: kadmin
+
+- name: create machine principal
+  command: kadmin.local -q "addprinc -randkey nfs/{{ ansible_hostname }}.{{ ansible_domain }}"
+  when: kadmin.stat.exists and not exports.stat.exists
+
+- name: add principal to the keytab
+  command: kadmin.local -q "ktadd nfs/{{ ansible_hostname }}.{{ ansible_domain }}"
+  notify: "restart rpc-svcgssd"
+  when: kadmin.stat.exists and not exports.stat.exists
+
+- name: install sssd-krb5
+  apt:
+    name:
+      - sssd-krb5
+      - sssd-ldap
+    state: latest
+  when: kadmin.stat.exists
+
+- name: provide identities from directory
+  template:
+    src: sssd.conf.j2
+    dest: /etc/sssd/sssd.conf
+    mode: 0600
+  notify: restart sssd
+  when: kadmin.stat.exists
diff --git a/roles/nfs-server/templates/sssd.conf.j2 b/roles/nfs-server/templates/sssd.conf.j2
new file mode 100644
index 0000000..0cea9c5
--- /dev/null
+++ b/roles/nfs-server/templates/sssd.conf.j2
@@ -0,0 +1,24 @@
+[sssd]
+domains = LDAP
+services = nss, pam
+config_file_version = 2
+
+[nss]
+filter_groups = root
+filter_users = root
+
+[pam]
+
+[domain/LDAP]
+id_provider = ldap
+ldap_uri = ldap://{{ ansible_hostname }}/
+ldap_search_base = {{ basedn }}
+
+auth_provider = krb5
+krb5_server = {{ ansible_hostname }}
+krb5_realm = {{ ldap_domain | upper }}
+cache_credentials = false
+
+min_id = 10000
+max_id = 20000
+enumerate = False