diff --git a/roles/linroom_ad/tasks/main.yml b/roles/linroom_ad/tasks/main.yml
new file mode 100644
index 0000000..2cc4095
--- /dev/null
+++ b/roles/linroom_ad/tasks/main.yml
@@ -0,0 +1,41 @@
+- name: Install sssd + samba + keyutil
+  apt:
+    name: 
+      - sssd
+      - sssd-ad
+      - realmd
+      - samba-common-bin
+      - smbclient
+      - cifs-utils
+      - smbclient
+    state: latest
+- name: Install kerberos utils
+  apt:
+    name: 
+      - keyutils
+      - krb5-user
+- name: Install PAM modules
+  apt:
+    name: libpam-modules
+    state: latest
+- name: Enable create homedir on login
+  command: pam-auth-update --enable mkhomedir
+  become: true
+- name: Check whether we already joined
+  command: /bin/bash -c "/usr/sbin/realm list"
+  register: realm_list_results
+- name: Join using realmd
+  expect:
+    command: realm join --user=ad.join@FRI1.UNI-LJ.SI --computer-ou=OU=Ucilnice FRI1.UNI-LJ.SI
+    responses:
+      (?i)Password: "{{ad_join_password}}"
+  ignore_errors: yes
+  when: realm_list_results.stdout == ""
+
+- name: Copy sssd config
+  template:
+    src: sssd.conf
+    dest: "/etc/sssd/sssd.conf"
+    owner: root
+    mode: 0600
+
diff --git a/roles/linroom_ad/templates/sssd.conf b/roles/linroom_ad/templates/sssd.conf
new file mode 100644
index 0000000..cd745fa
--- /dev/null
+++ b/roles/linroom_ad/templates/sssd.conf
@@ -0,0 +1,30 @@
+[sssd]
+config_file_version = 2
+domains = fri1.uni-lj.si
+enable_files_domain = False
+services = nss, pam
+
+[nss]
+filtered_groups = root
+filtered_users = root
+reconnection_retries = 3
+
+[pam]
+reconnection_retries = 3
+
+[domain/fri1.uni-lj.si]
+ad_domain = fri1.uni-lj.si
+ad_server = dcv1fri1.fri1.uni-lj.si,dcv2fri1.fri1.uni-lj.si
+ad_maximum_machine_account_password_age = 0
+ad_gpo_access_control = permissive
+ad_enabled_domains = fri1.uni-lj.si, student.uni-lj.si, fkkt1.uni-lj.si, ef1.uni-lj.si, fe1.uni-lj.si, ff.uni-lj.si, fmf.uni-lj.si, fu.uni-lj.si, pef.uni-lj.si
+krb5_realm = FRI1.UNI-LJ.SI
+realmd_tags = manages-system joined-with-adcli
+cache_credentials = True
+id_provider = ad
+krb5_store_password_if_offline = True
+default_shell = /bin/bash
+ldap_id_mapping = True
+use_fully_qualified_names = True
+fallback_homedir = /home/%u@%d
+access_provider = ad