diff --git a/inventory/group_vars/all b/inventory/group_vars/all
index cb42f4330f..cbff170da3 100644
--- a/inventory/group_vars/all
+++ b/inventory/group_vars/all
@@ -208,3 +208,6 @@ fedora_required_images:
 # In some cases we want mod_wsgi and no apache (for python3 httpaio stuff)
 #
 wsgi_wants_apache: true
+
+# Main IPA server for this server
+ipa_server: ipa01.stg.phx2.fedoraproject.org
diff --git a/inventory/group_vars/staging b/inventory/group_vars/staging
index cd9c3a2cb2..f0a472e557 100644
--- a/inventory/group_vars/staging
+++ b/inventory/group_vars/staging
@@ -12,3 +12,5 @@ collectd_graphite: True
 
 fedmsg_prefix: org.fedoraproject
 fedmsg_env: stg
+
+ipa_server: ipa01.stg.phx2.fedoraproject.org
diff --git a/roles/base/tasks/main.yml b/roles/base/tasks/main.yml
index 942814f1aa..6680578065 100644
--- a/roles/base/tasks/main.yml
+++ b/roles/base/tasks/main.yml
@@ -377,4 +377,4 @@
   tags:
   - base
   - config
-  - krb
+  - krb5
diff --git a/roles/keytab/tasks/main.yml b/roles/keytab/tasks/main.yml
new file mode 100644
index 0000000000..6f78e6e284
--- /dev/null
+++ b/roles/keytab/tasks/main.yml
@@ -0,0 +1,104 @@
+---
+# Get host keytab
+- name: Determine whether we need to get host keytab
+  stat: path=/etc/krb5.keytab
+  register: host_keytab_status
+  tags:
+  - base
+  - config
+  - krb5
+
+- name: Get admin keytab
+  delegate_to: {{ipa_server}}
+  shell: echo "{{ipa_admin_password}}" | kinit admin
+  tags:
+  - base
+  - config
+  - krb5
+  when: not host_keytab_status.stat.exists
+
+- name: Create host entry
+  delegate_to: {{ipa_server}}
+  command: ipa host-add {{inventory_hostname}}
+  register: host_add_result
+  changed_when: "'Added host' in host_add_result.stdout"
+  failed_when: "not ('Added host' in host_add_result.stdout or 'already exists' in host_add_result.stdout)"
+  tags:
+  - base
+  - config
+  - krb5
+  when: not host_keytab_status.stat.exists
+
+- name: Generate host keytab
+  delegate_to: {{ipa_server}}
+  command: ipa-getkeytab -s {{ipa_server}} -p host/{{inventory_hostname}} -k /tmp/{{inventory_hostname}}.kt
+  register: getkeytab_result
+  changed_when: false
+  failed_when: "'successfully retrieved' not in getkeytab_result.stdout"
+  tags:
+  - base
+  - config
+  - krb5
+  when: not host_keytab_status.stat.exists
+
+- name: Destroy kerberos ticket
+  delegate_to: {{ipa_server}}
+  command: kdestroy -A
+  tags:
+  - base
+  - config
+  - krb5
+  when: not host_keytab_status.stat.exists
+
+- name: Get keytab
+  delegate_to: {{ipa_server}}
+  command: base64 /tmp/{{inventory_hostname}}.kt
+  register: keytab
+  tags:
+  - base
+  - config
+  - krb5
+  when: not host_keytab_status.stat.exists
+
+- name: Destroy stored keytab
+  delegate_to: {{ipa_server}}
+  file: path=/tmp/{{inventory_hostname}}.kt state=absent
+  tags:
+  - base
+  - config
+  - krb5
+  when: not host_keytab_status.stat.exists
+
+- name: Deploy base64 keytab
+  file: path=/etc/krb5.keytab.b64
+        content={{keytab.stdout}}
+        owner=root group=root mode=0600
+  tags:
+  - base
+  - config
+  - krb5
+  when: not host_keytab_status.stat.exists
+
+- name: Base64-decode keytab
+  shell: base64-decode -d /etc/krb5.keytab.b64 >/etc/krb5.keytab
+  tags:
+  - base
+  - config
+  - krb5
+  when: not host_keytab_status.stat.exists
+
+- name: Set keytab permissions
+  file: path=/etc/krb5.keytab owner=root group=root mode=0600
+  tags:
+  - base
+  - config
+  - krb5
+  when: not host_keytab_status.stat.exists
+
+- name: Destroy encoded keytab
+  file: /etc/krb5.keytab.b64 state=absent
+  tags:
+  - base
+  - config
+  - krb5
+  when: not host_keytab_status.stat.exists