diff --git a/roles/lmn_mount/tasks/main.yml b/roles/lmn_mount/tasks/main.yml
index 3f3dce2..ff633c8 100644
--- a/roles/lmn_mount/tasks/main.yml
+++ b/roles/lmn_mount/tasks/main.yml
@@ -16,7 +16,7 @@
     block: |
       <!-- mounts for home, share and nextcloud -->
       <volume
-        fstype="cifs"
+        fstype="lmn"
         server="{{ smb_server }}"
         path="{{ smb_share }}"
         mountpoint="/srv/samba/schools/default-school"
@@ -71,7 +71,7 @@
     line: KillUserProcesses=yes
     insertafter: '#KillUserProcesses=no'
 
-- name: Bind mount lmn/media with nosuid directory
+- name: Bind mount /lmn/media with nosuid directory
   ansible.posix.mount:
     src: /lmn/media
     path: /lmn/media
diff --git a/roles/lmn_vm/files/u-mount.sh b/roles/lmn_vm/files/u-mount.sh
new file mode 100644
index 0000000..9537167
--- /dev/null
+++ b/roles/lmn_vm/files/u-mount.sh
@@ -0,0 +1,51 @@
+#!/usr/bin/bash
+#
+# <cifsmount>/usr/local/sbin/u-mount.sh %(USER) %(USERUID) %(MNTPT) %(FSTYPE) %(OPTIONS) %(SERVER) %(VOLUME)</cifsmount>'
+# <umount>/usr/local/sbin/u-mount.sh %(USER) %(USERUID) %(MNTPT)</umount>'
+
+set -eu
+
+systemd-cat echo $@
+
+LANG=C
+usr="$1"
+uid="$2"
+mtp="$3"
+
+if [[ "$#" -gt 3 ]] ; then
+    ## we are mounting
+    fty="$4"
+    opt="$5"
+    srv="$6"
+    vol="$7"
+    case "$fty" in
+	"davfs")
+	    systemd-cat echo mount -t davfs -o "$opt" "$vol" "$mtp"
+	    exec mount -t davfs -o "$opt" "$vol" "$mtp"
+	    ;;
+	"cifs")
+	    if [[ ! "$vol" =~ "sysvol" ]] ; then
+		home="$(getent passwd "$usr" | cut -d : -f 6)"
+		vol="default-school/"
+		mount -t cifs -o "$opt" "//$srv/$vol" "$mtp"
+		mkdir -p "/lmn/media/$usr/share"
+		mkdir -p "/lmn/media/$usr/home"
+		mount -o bind "/srv/samba/schools/default-school/share" "/lmn/media/$usr/share"
+		exec mount -o bind "$home" "/lmn/media/$usr/home"
+	    else
+		mount -t cifs -o "$opt" "//$srv/$vol" "$mtp"
+	    fi
+    esac
+else
+#    for VMname in $(sudo -u $user XDG_RUNTIME_DIR="/run/user/$uid" \
+#			 virsh list --state-running | grep running | awk '{print $2}'); do
+#	sudo -u $user XDG_RUNTIME_DIR="/run/user/$uid" virsh destroy $VMname
+#	sleep 1
+#    done
+    #killall -9 virtiofsd
+
+
+    umount "/lmn/media/$usr/share" && rmdir "/lmn/media/$usr/share"
+    umount "/lmn/media/$usr/home"  && rmdir "/lmn/media/$usr/home"
+    exec umount "$mtp"
+fi
diff --git a/roles/lmn_vm/tasks/main.yml b/roles/lmn_vm/tasks/main.yml
index c56df95..28658c2 100644
--- a/roles/lmn_vm/tasks/main.yml
+++ b/roles/lmn_vm/tasks/main.yml
@@ -14,25 +14,20 @@
     #    insertafter: '#auth_unix_rw = "polkit"'
     #  notify: reload libvirtd
 
-- name: Configure pam_mount for VMs
+- name: Generate bind mounts for VMs in extra mount script
   blockinfile:
     dest: /etc/security/pam_mount.conf.xml
     marker: "<!-- {mark} ANSIBLE MANAGED BLOCK (bind mounts for VMs) -->"
     block: |
-      <!-- bind mounts for the VMs, setting gid here does not work -->
-      <volume
-        path="~"
-        mountpoint="/lmn/media/%(USER)/home"
-        options="bind"
-        ><not><or><user>root</user><user>ansible</user><user>Debian-gdm</user><user>sddm</user><user>virti</user></or></not>
-      </volume>
-      <volume
-        path="/srv/samba/schools/default-school/share"
-        mountpoint="/lmn/media/%(USER)/share"
-        options="bind"
-        ><not><or><user>root</user><user>ansible</user><user>Debian-gdm</user><user>sddm</user><user>virti</user></or></not>
-      </volume>
-    insertafter: "<!-- END ANSIBLE MANAGED BLOCK .* -->"
+      <lmnmount>/usr/local/sbin/u-mount.sh %(USER) %(USERUID) %(MNTPT) %(FSTYPE) %(OPTIONS) %(VOLUME) "~"</lmnmount>'
+      <lmnumount>/usr/local/sbin/u-mount.sh %(USER) %(USERUID) %(MNTPT)</lmnumount>'
+    insertafter: '^<mntoptions.*'
+
+- name: Prepare umount script
+  ansible.builtin.copy:
+    src: u-mount.sh
+    dest: /usr/local/sbin/u-mount.sh
+    mode: "0755"
 
 - name: autostart default network for VMs
   file: