diff --git a/kerberox-client.yml b/kerberox-client.yml
new file mode 100644
index 0000000..4861857
--- /dev/null
+++ b/kerberox-client.yml
@@ -0,0 +1,26 @@
+---
+# This playbook deploys a client for the kerberox LAN.
+
+- name: apply configuration to the machines
+  hosts: all
+  remote_user: ansible
+  become: yes
+  vars:
+    deb_release: "buster"
+    extra_pkgs:
+      - webext-privacy-badger
+      - webext-ublock-origin
+      - krb5-auth-dialog
+    extra_pkgs_bpo: []  # [ libreoffice ]
+
+  vars_prompt:
+    - name: "kadmin_pwd"
+      prompt: "Provide kadmin password to fetch kerberos keytab.\nLeave empty if done already"
+      private: yes
+      
+  roles:
+    - up2date-debian
+    - lan-client
+    ## Choose either gnome or KDE:
+    - gnome
+    #- kde
diff --git a/kerberox.yml b/kerberox.yml
new file mode 100644
index 0000000..e7eff0e
--- /dev/null
+++ b/kerberox.yml
@@ -0,0 +1,46 @@
+---
+# This playbook deploys the kerberox server.
+
+- name: apply configuration to the installbox
+  hosts: all
+  remote_user: ansible
+  become: yes
+  vars:
+    ## This interface provides the default route:
+    if_wan: "{{ ansible_default_ipv4.interface }}"
+    ## Use the first remaining interface for the LAN:
+    if_lan: "{{ ansible_interfaces | difference([if_wan, 'lo']) | first }}"
+    ## Add 'hostname=XXX' to the installer boot parameters if necessary:
+    hostname: "{{ ansible_hostname }}"
+    ipaddr_lan: 192.168.0.10
+    dhcp_range: 192.168.0.50,192.168.0.150,2h
+    dhcp_list: "{{ lookup('sequence', 'start=50 end=150 format=192.168.0.%d', wantlist=True) }}"
+    tftp_root: "/var/lib/tftpboot"
+    deb_mirror: "deb.debian.org"
+    di_dist: "buster"
+    di_version: "10"
+    di_pkg: "debian-installer-{{ di_version }}-netboot-amd64"
+    ansible_user: ansible
+    repo_dir: "/home/{{ ansible_user }}/debian-lan"
+    ansible_python_interpreter: "/usr/bin/python3"  ## needed for firewalld module
+
+  vars_prompt:
+    - name: "foo_pwd"
+      prompt: "Provide a non-empty password for the test user 'foo'.\nLeave empty to continue without test user"
+      private: yes
+
+  pre_tasks:
+    - name: validate if interfaces are available
+      fail:
+        msg: "Interfaces {{ ansible_interfaces }} found. WAN: '{{ if_wan }}', LAN: '{{ if_lan }}'.  Two NICs needed."
+      when: (if_lan not in ansible_interfaces) or (if_wan not in ansible_interfaces) or (if_lan == if_wan)
+
+  roles:
+    - up2date-debian
+    - two-interface-firewalld
+    - dhcp-dns-dnsmasq
+    - tftp-netboot-installer
+    - preseed-installer
+    - apt-cacher
+    - krb5-kdc-ldap
+    - nfs-server
diff --git a/mainserver.yml b/mainserver.yml
deleted file mode 100644
index a97a47b..0000000
--- a/mainserver.yml
+++ /dev/null
@@ -1,14 +0,0 @@
----
-# This playbook deploys the mainserver
-
-- name: apply configuration to the mainserver
-  hosts: all
-  remote_user: andi
-  become: yes
-  vars:
-    foo_pwd: 123
-    
-  roles:
-#    - ldap
-    - krb5-kdc-ldap
-
diff --git a/roles/kde/tasks/main.yml b/roles/kde/tasks/main.yml
index 847da41..74f7e1f 100644
--- a/roles/kde/tasks/main.yml
+++ b/roles/kde/tasks/main.yml
@@ -2,6 +2,7 @@
   apt:
     name:
       - task-kde-desktop
+      - sddm-theme-debian-breeze
       - cups
     state: latest
 
diff --git a/roles/krb5-kdc-ldap/tasks/main.yml b/roles/krb5-kdc-ldap/tasks/main.yml
index 1de5dc5..5252dc1 100644
--- a/roles/krb5-kdc-ldap/tasks/main.yml
+++ b/roles/krb5-kdc-ldap/tasks/main.yml
@@ -2,7 +2,7 @@
 ##  run most tasks only on krb5-kdc-ldap installation.
 ---
 - fail: msg="The machine's domain must not be empty."
-  when: ansible_domain | length == 0 
+  when: ansible_domain | length == 0
 
 - name: check if slapd is already there
   stat: path=/usr/sbin/krb5kdc
@@ -142,35 +142,38 @@
   notify: "restart krb5-kdc"
   when: not krb5kdc.stat.exists
 
-- name: add root/admin as kadmin  
-  command: kadmin.local -q "addprinc -pw {{ kadmin_pwd }} root/admin"
+- name: add root/admin as kadmin
+  command: kadmin.local -q 'addprinc -pw "{{ kadmin_pwd }}" root/admin'
   when: not krb5kdc.stat.exists
 
 - name: dump kadmin password
   shell: echo -n "{{ kadmin_pwd }}" > "{{ kadmin_pwd_file }}" ; chmod 0600 "{{ kadmin_pwd_file }}"
   no_log: true
   when: not krb5kdc.stat.exists
-  
+
 - name: add default policy to silence warning when using kadmin
   command: kadmin.local -q "add_policy default"
   when: not krb5kdc.stat.exists
 
 - name: create machine principals
-  command: kadmin.local -q "addprinc -randkey {{ item }}/{{ ansible_hostname }}.{{ ansible_domain }}"
+  command: kadmin.local -q 'addprinc -randkey {{ item }}/{{ ansible_hostname }}.{{ ansible_domain }}'
   with_items:
     - host
     - ldap
   when: not krb5kdc.stat.exists
 
 - name: add principal to the keytab
-  command: kadmin.local -q "ktadd {{ item }}/{{ ansible_hostname }}.{{ ansible_domain }}"
+  command: kadmin.local -q 'ktadd {{ item }}/{{ ansible_hostname }}.{{ ansible_domain }}'
   with_items:
     - host
     - ldap
   when: not krb5kdc.stat.exists
 
 ##############
-  
+
 - name: kerberize dummy user foo
-  command: kadmin.local -q 'add_principal -pw {{ foo_pwd }} -x dn="uid=foo,ou=people,{{ basedn }}" foo'
-  when: foo_pwd is defined
+  command: kadmin.local -q 'add_principal -pw "{{ foo_pwd }}" -x dn="uid=foo,ou=people,{{ basedn }}" foo'
+  register: kerberize_result
+  changed_when: kerberize_result.stderr is not search('already exists while creating')
+  no_log: true
+  when: foo_pwd is defined and foo_pwd | length > 0
diff --git a/roles/lan-client/tasks/main.yml b/roles/lan-client/tasks/main.yml
index 74362a1..f86861b 100644
--- a/roles/lan-client/tasks/main.yml
+++ b/roles/lan-client/tasks/main.yml
@@ -33,6 +33,8 @@
       - nfs-common
     state: latest
 
+## oddjob-mkhomedir works only with sec=sys for the NFSv4 share
+    
 - name: provide identities from directory
   template:
     src: sssd.conf.j2
@@ -46,17 +48,19 @@
 
 ## Activate machine after installation:
 - name: create machine principal
-  command: kadmin -p root/admin -w {{ lookup('password', '/root/kadmin.pwd') }} -q "addprinc -randkey nfs/{{ ansible_hostname }}.{{ ansible_domain }}"
+  command: kadmin -p root/admin -w {{ kadmin_pwd }} -q "addprinc -randkey nfs/{{ ansible_hostname }}.{{ ansible_domain }}"
+  register: kerberize_result
+  changed_when: kerberize_result.stderr is not search('already exists while creating')
   no_log: true
-  when: not run_in_installer|default(false)|bool
+  when: not run_in_installer|default(false)|bool and kadmin_pwd | length > 0
 
 - name: add principal to keytab
-  command: kadmin -p root/admin -w {{ lookup('password', '/root/kadmin.pwd') }} -q "ktadd nfs/{{ ansible_hostname }}.{{ ansible_domain }}"
+  command: kadmin -p root/admin -w {{ kadmin_pwd }} -q "ktadd nfs/{{ ansible_hostname }}.{{ ansible_domain }}"
   args:
     creates: /etc/krb5.keytab
   no_log: true
   notify: "restart rpc-gssd"
-  when: not run_in_installer|default(false)|bool
+  when: not run_in_installer|default(false)|bool and kadmin_pwd | length > 0
 
 - name: automount
   lineinfile:
diff --git a/roles/ldap/defaults/main.yml b/roles/ldap/defaults/main.yml
index c84b93e..141c21f 100644
--- a/roles/ldap/defaults/main.yml
+++ b/roles/ldap/defaults/main.yml
@@ -1,4 +1,4 @@
 ldap_admin_pwd: "{{ lookup('password', '/tmp/ldap_admin.pwd length=24') }}"
-ldap_pwd_file: "/root/ldap-admin.pwd"
+ldap_admin_pwd_file: "/root/ldap-admin.pwd"
 basedn: "{{ 'dc=' + ( ansible_domain | replace('^.','') | replace('.$','') | replace('.',',dc=')) }}"
 lan_homes:  /home/lan
diff --git a/roles/ldap/tasks/main.yml b/roles/ldap/tasks/main.yml
index de33367..6f290d3 100644
--- a/roles/ldap/tasks/main.yml
+++ b/roles/ldap/tasks/main.yml
@@ -2,7 +2,7 @@
 ##  run most tasks only on slapd installation.
 ---
 - fail: msg="The machine's domain must not be empty."
-  when: ansible_domain | length == 0 
+  when: ansible_domain | length == 0
 
 - name: check if slapd is already there
   stat: path=/usr/sbin/slapd
@@ -35,7 +35,7 @@
   when: not slapd.stat.exists
 
 - name: dump admin password
-  shell: echo -n "{{ ldap_admin_pwd }}" > "{{ ldap_pwd_file }}" ; chmod 0600 "{{ ldap_pwd_file }}"
+  shell: echo -n "{{ ldap_admin_pwd }}" > "{{ ldap_admin_pwd_file }}" ; chmod 0600 "{{ ldap_admin_pwd_file }}"
   no_log: true
   when: not slapd.stat.exists
 
@@ -80,6 +80,11 @@
     bind_dn: "cn=admin,{{ basedn }}"
     bind_pw: "{{ ldap_admin_pwd }}"
 
+- name: provide simple script to add/delete users
+  template:
+    src: debian-lan.j2
+    dest: /usr/local/sbin/debian-lan
+    mode: 0744
 
 ## Add user
 - name: add dummy user foo
@@ -98,7 +103,7 @@
       loginShell: /bin/bash
     bind_dn: "cn=admin,{{ basedn }}"
     bind_pw: "{{ ldap_admin_pwd }}"
-  when: foo_pwd is defined
+  when: foo_pwd is defined and foo_pwd | length > 0
 
 - name: add dummy group foo
   ldap_entry:
@@ -109,7 +114,7 @@
       gidNumber: 10000
     bind_dn: "cn=admin,{{ basedn }}"
     bind_pw: "{{ ldap_admin_pwd }}"
-  when: foo_pwd is defined
+  when: foo_pwd is defined and foo_pwd | length > 0
 
 ## ldapaddgroup tom
 ## ldapadduser tom tom
diff --git a/roles/nfs-server/handlers/main.yml b/roles/nfs-server/handlers/main.yml
index bc2c23b..224f948 100644
--- a/roles/nfs-server/handlers/main.yml
+++ b/roles/nfs-server/handlers/main.yml
@@ -1,3 +1,12 @@
+- name: bind mount exported dir
+  mount:
+    path: "{{ export_root }}/home/"
+    src: "{{ lan_homes }}"
+    fstype: none
+    state: mounted
+    opts: bind
+  listen: "bind mount exported dirs"
+
 - name: restart nfs-kernel-server
   service: name=nfs-kernel-server state=restarted enabled=yes
   listen: "restart nfs-kernel-server"
@@ -9,3 +18,7 @@
 - name: restart sssd
   service: name=sssd state=restarted enabled=yes
   listen: "restart sssd"
+
+- name: restart dnsmasq
+  service: name=dnsmasq state=restarted enabled=yes
+  listen: "restart dnsmasq"
diff --git a/roles/nfs-server/tasks/main.yml b/roles/nfs-server/tasks/main.yml
index 4eb52c0..aede26c 100644
--- a/roles/nfs-server/tasks/main.yml
+++ b/roles/nfs-server/tasks/main.yml
@@ -1,7 +1,7 @@
 ## Install and configure nfs-server
 ---
 - fail: msg="The machine's domain must not be empty."
-  when: ansible_domain | length == 0 
+  when: ansible_domain | length == 0
 
 - name: check if there are installing
   stat: path=/etc/exports
@@ -13,19 +13,12 @@
       - nfs-kernel-server
     state: latest
 
-- name: make sure the export exists
+- name: make sure the export paths exists
   file: path={{ export_root }}/home/ state=directory recurse=yes
 
-- name: make sure the export exists
+- name: make sure the lan homes exists
   file: path={{ lan_homes }} state=directory recurse=yes
-
-- name: bind mount exported dir
-  mount:
-    path: "{{ export_root }}/home/"
-    src: "{{ lan_homes }}"
-    fstype: none
-    state: mounted
-    opts: bind
+  notify: "bind mount exported dirs"
 
 - name: configure exports
   blockinfile:
@@ -36,8 +29,6 @@
       {{ export_root }}/home/   *(sec=krb5p,rw,no_subtree_check)
   notify: "restart nfs-kernel-server"
 
-
-
 - name: check if there is a local kadmin
   stat: path=/usr/sbin/kadmin.local
   register: kadmin
@@ -71,4 +62,15 @@
   shell: cp -r /etc/skel {{ lan_homes }}/foo && chmod -R o-rwx {{ lan_homes }}/foo && chown -R foo:foo {{ lan_homes }}/foo
   args:
     creates: "{{ lan_homes }}/foo"
-  when: foo_pwd is defined
+  when: foo_pwd is defined and foo_pwd | length > 0
+
+- name: check if our dnsmasq is used
+  stat: path=/etc/dnsmasq.d/dnsmasq-dhcp
+  register: dnsmasq
+
+- name: send domain to clients
+  template:
+    src: dhcp-send-domain.j2
+    dest: /etc/dnsmasq.d/dhcp-send-domain
+  notify: "restart dnsmasq"
+  when: dnsmasq.stat.exists
diff --git a/roles/nfs-server/templates/dhcp-send-domain.j2 b/roles/nfs-server/templates/dhcp-send-domain.j2
new file mode 100644
index 0000000..6933a9e
--- /dev/null
+++ b/roles/nfs-server/templates/dhcp-send-domain.j2
@@ -0,0 +1,2 @@
+expand-hosts
+domain={{ ansible_domain }}