diff --git a/roles/ldap/templates/debian-lan.j2 b/roles/ldap/templates/debian-lan.j2
new file mode 100644
index 0000000..e17404f
--- /dev/null
+++ b/roles/ldap/templates/debian-lan.j2
@@ -0,0 +1,140 @@
+#!/bin/bash
+#
+# A simple script to add users and their group to ldap, as well as a kerberos principal.
+#
+
+set -eu
+
+usage(){
+    cat <<EOF
+Usage: 
+         $(basename $0)  adduser  <uid>  <password>  [<cn>] [<sn>]
+         $(basename $0)  deluser  <uid>
+
+     <uid>:        User ID (login name)
+     <password>:   Password 
+     <cn>, <sn>:   LDAP attributes, if omitted, <uid> is used.
+
+EOF
+}
+
+#sss_cache -U -G  ## should not be necessary
+
+if [ $# -lt 2 ] ; then
+    usage
+    exit 1
+elif [ $1 = adduser -a $# -lt 3 ] ; then
+    echo "Error: Password missing."
+    usage
+    exit 1
+fi
+
+MINID=10000
+MAXID=20000
+BASEDN="{{ basedn }}"
+HOMES="{{ lan_homes }}"
+LDAPADMIN="cn=admin,$BASEDN"
+ADPASSWD="$(cat {{ ldap_admin_pwd_file }})"
+
+COMMAND="$1"
+uid="$2"
+pw="${3:-""}"
+cn="${4:-$2}"
+sn="${5:-$2}"
+
+if [ -x /usr/sbin/kadmin.local ] ; then
+    KRB5=true
+    pwEntry=""
+else
+    KRB5=false
+    pwEntry="userPassword: $pw"
+fi
+
+#############
+
+
+nextnum(){
+    local num
+    num="$(( $(ldapsearch -Y EXTERNAL -H ldapi:/// -LLL -b "ou=people,$BASEDN" -S $1 $1 2>/dev/null \
+                        |  tail -n -2 | grep -oE "[[:digit:]]+$") + 1 ))"
+    if [ $num -lt $MINID ] ; then
+        echo $MINID
+    else
+        echo "$num"
+    fi
+}
+
+add-user(){
+    uidNumber=$(nextnum uidNumber)
+    gidNumber=$(nextnum gidNumber)
+    
+    if [ $uidNumber -ge $MAXID -o $gidNumber -ge $MAXID ] ; then
+        echo "Error: $uidNumber and/or $gidNumber exceed max ID number ${MAXID}."
+        exit 1
+    fi
+    
+    cat <<EOF | ldapadd -H ldapi:/// -D "$LDAPADMIN"  -w "$ADPASSWD" | sed '/^$/d'
+############## LDIF ##############
+dn: uid=${uid},ou=people,$BASEDN
+objectClass: inetOrgPerson
+objectClass: posixAccount
+uidNumber: ${uidNumber}
+gidNumber: ${gidNumber}
+homeDirectory: ${HOMES}/${uid}
+loginShell: /bin/bash
+cn: ${cn}
+sn: ${sn}
+${pwEntry}
+
+dn: cn=${uid},ou=groups,$BASEDN
+objectClass: posixGroup
+gidNumber: ${gidNumber}
+##################################
+EOF
+
+    echo "uidNumber: ${uidNumber}  gidNumber: ${gidNumber}"
+
+    if [ $KRB5 ] ; then
+        kadmin.local -q "add_principal -policy default -pw \"$pw\" -x dn=\"uid=${uid},ou=people,$BASEDN\" ${uid}" \
+            | sed '/Authenticating as principal/d'
+        cp -r /etc/skel ${HOMES}/${uid}
+        chown -R ${uidNumber}:${gidNumber} ${HOMES}/${uid}
+        ls -nld ${HOMES}/${uid}
+    fi
+}
+
+
+del-user(){
+    local KEEPDIR
+    if [ $KRB5 ] ; then
+        ## Remove all kerberos attributes from LDAP, then the whole DN below.  The latter should be sufficient. 
+        kadmin.local -q "delete_principal -force ${uid}"  \
+            |  sed -e '/Authenticating as principal/d' -e '/Make sure that you have removed/d'
+    fi
+    
+    ldapdelete -v -H ldapi:/// -D "$LDAPADMIN"  -w "$ADPASSWD" "uid=${uid},ou=people,$BASEDN"  "cn=${uid},ou=groups,$BASEDN" 2>&1 \
+        | sed '/ldap_initialize/d' 
+    
+    if [ -d ${HOMES}/${uid} ] ; then
+        KEEPDIR="${HOMES}/rm_$(date '+%Y%m%d')_${uid}"
+        mv ${HOMES}/${uid} "${KEEPDIR}"
+        chown -R root:root  "${KEEPDIR}"
+        ls -ld "$KEEPDIR"
+    fi
+}
+    
+##############################
+########### main #############
+##############################
+
+case $COMMAND in
+    adduser)
+        add-user
+        ;;
+    deluser)
+        del-user
+        ;;
+    *)
+        usage
+        ;;
+esac
diff --git a/roles/nfs-server/tasks/main.yml b/roles/nfs-server/tasks/main.yml
index aede26c..31c9036 100644
--- a/roles/nfs-server/tasks/main.yml
+++ b/roles/nfs-server/tasks/main.yml
@@ -47,6 +47,7 @@
     name:
       - sssd-krb5
       - sssd-ldap
+      - sssd-tools     ##  sss_cache -U -G
     state: latest
   when: kadmin.stat.exists