diff --git a/tasks/main.yml b/tasks/main.yml
index db2f214..2d6b6ab 100644
--- a/tasks/main.yml
+++ b/tasks/main.yml
@@ -93,6 +93,13 @@
   ignore_errors: yes
 
 # Configure ntp.conf to use AD DCs
+- name: Ensure 'tinker panic 0' is present
+  lineinfile:
+    path: /etc/ntp.conf
+    line: "tinker panic 0"
+    insertafter: BOF
+    state: present
+
 - name: Configure ntp.conf with AD domain controllers
   blockinfile:
     path: /etc/ntp.conf
@@ -134,6 +141,26 @@
   register: join_result
   changed_when: "'Joined domain' in join_result.stdout"
 
+# Ensure winbind is appended to passwd and group in /etc/nsswitch.conf
+- name: Ensure winbind is appended to passwd and group NSS databases
+  lineinfile:
+    path: /etc/nsswitch.conf
+    regexp: '^{{ item }}:'
+    line: "{{ item }}: files winbind"
+    backrefs: yes
+  loop:
+    - passwd
+    - group
+
+# Append [success=continue] winbind to existing initgroups line
+- name: Ensure [success=continue] winbind is present in initgroups line if it exists
+  replace:
+    path: /etc/nsswitch.conf
+    regexp: '^(initgroups:.*?)(\s*winbind)?$'
+    replace: '\1 [success=continue] winbind'
+  when: "'initgroups:' in lookup('file', '/etc/nsswitch.conf')"
+  
+
 - name: Enable and start required services
   service:
     name: "{{ item }}"
diff --git a/templates/smb.conf.j2 b/templates/smb.conf.j2
index a42a8c0..7bdd857 100644
--- a/templates/smb.conf.j2
+++ b/templates/smb.conf.j2
@@ -2,13 +2,26 @@
    workgroup = {{ ad_realm.split('.')[0] }}
    security = ads
    realm = {{ ad_realm }}
+
+   # users will be in the form username instead of DOMAIN\username.
    winbind use default domain = true
+   
    winbind offline logon = false
    dedicated keytab file = /etc/krb5.keytab
    kerberos method = secrets and keytab
+   
+   # Default ID mapping configuration for local BUILTIN accounts
+   # and groups on a domain member. The default (*) domain:
+   # - must not overlap with any domain ID mapping configuration!
+   # - must use a read-write-enabled back end, such as tdb.
    idmap config * : backend = tdb
-   idmap config * : range = 10000-20000
+   idmap config * : range = 3000-7999
+
+   # - You must set a DOMAIN backend configuration
+   # idmap config for the {{ ad_realm.split('.')[0] }} domain
    idmap config {{ ad_realm.split('.')[0] }} : backend = rid
-   idmap config {{ ad_realm.split('.')[0] }} : range = 20001-999999
+   idmap config {{ ad_realm.split('.')[0] }} : range = 10000-999999
+
+   # Template settings for login shell and home directory
    template shell = /bin/bash
    template homedir = /home/%U