diff --git a/ad-server-replication/tasks/main.yml b/ad-server-replication/tasks/main.yml
index a778d09aa11ea9a81f2f355a1deb087f6555d7ad..f107acac4d077aa21d92cab1f58b27a5957ce30f 100644
--- a/ad-server-replication/tasks/main.yml
+++ b/ad-server-replication/tasks/main.yml
@@ -10,6 +10,13 @@
   tags:
     - ad-server
 
+- name: ensure winbind is for some reasons installed
+  apt:
+    name: winbind
+    state: present
+  tags:
+    - ad-server
+
 - name: figure out if domain is provisioned
   stat:
     path: "/var/lib/samba/sysvol/{{ domain }}"
diff --git a/ad-server-replication/templates/smb.conf.j2 b/ad-server-replication/templates/smb.conf.j2
index 3bd4725fd8292b4444a31f1eec4bd6c4fea4f8ab..a22b5d2e77d78ba09e346dd957a95043847aee89 100644
--- a/ad-server-replication/templates/smb.conf.j2
+++ b/ad-server-replication/templates/smb.conf.j2
@@ -19,7 +19,7 @@
         kdc:renewal lifetime = {{ renewal_lifetime }}
 
         tls enabled = yes
-        tls cafile = /etc/ssl/certs/rwth_chain.pem
+        tls cafile = {{smb_tls_cacert}}
         tls keyfile = {{smb_tls_key}}
         tls certfile = {{smb_tls_cert}}
 
diff --git a/ad-server/templates/smb.conf.j2 b/ad-server/templates/smb.conf.j2
index e19b860cd7f18fc10980cb36dbaa3487fae99172..a22b5d2e77d78ba09e346dd957a95043847aee89 100644
--- a/ad-server/templates/smb.conf.j2
+++ b/ad-server/templates/smb.conf.j2
@@ -19,8 +19,7 @@
         kdc:renewal lifetime = {{ renewal_lifetime }}
 
         tls enabled = yes
-        tls cafile = {{smb_tls_chain}}
-        #tls cafile = /etc/ssl/certs/rwth_chain.pem
+        tls cafile = {{smb_tls_cacert}}
         tls keyfile = {{smb_tls_key}}
         tls certfile = {{smb_tls_cert}}