diff --git a/inventory/group_vars/openqa_servers_common b/inventory/group_vars/openqa_servers_common
index eba4223c36..e4c01c4fbc 100644
--- a/inventory/group_vars/openqa_servers_common
+++ b/inventory/group_vars/openqa_servers_common
@@ -58,6 +58,7 @@ openqa_amqp_smtp: bastion
 # http and NFS
 tcp_ports: [80, 2049]
 
+primary_auth_source: ipa
 ipa_host_group: openqa-servers
 ipa_host_group_desc: OpenQA servers
 ipa_client_shell_groups:
diff --git a/inventory/group_vars/openqa_workers b/inventory/group_vars/openqa_workers
index 82fba757ad..ba4debf87b 100644
--- a/inventory/group_vars/openqa_workers
+++ b/inventory/group_vars/openqa_workers
@@ -21,6 +21,7 @@ openqa_nfs_worker: true
 deployment_type: prod
 freezes: false
 
+primary_auth_source: ipa
 ipa_host_group: openqa-workers
 ipa_host_group_desc: OpenQA worker hosts
 ipa_client_shell_groups:
diff --git a/playbooks/groups/openqa-workers.yml b/playbooks/groups/openqa-workers.yml
index 4076e48b76..965845fb06 100644
--- a/playbooks/groups/openqa-workers.yml
+++ b/playbooks/groups/openqa-workers.yml
@@ -11,14 +11,13 @@
   pre_tasks:
   - include_vars: dir=/srv/web/infra/ansible/vars/all/ ignore_files=README
   - import_tasks: "{{ tasks_path }}/yumrepos.yml"
-  - import_tasks: "{{ tasks_path }}/2fa_client.yml"
 
   roles:
    - { role: base, tags: ['base'] }
    - { role: rkhunter, tags: ['rkhunter'] }
    - { role: nagios_client, tags: ['nagios_client'] }
    - { role: hosts, tags: ['hosts']}
-   - { role: fas_client, tags: ['fas_client'] }
+   - ipa/client
    - { role: collectd/base, tags: ['collectd_base'] }
    - { role: sudo, tags: ['sudo'] }
    - { role: openqa/worker, tags: ['openqa_worker'] }
diff --git a/playbooks/groups/openqa.yml b/playbooks/groups/openqa.yml
index 3804b3c3a5..29a869b62c 100644
--- a/playbooks/groups/openqa.yml
+++ b/playbooks/groups/openqa.yml
@@ -19,13 +19,12 @@
    - { role: rkhunter, tags: ['rkhunter'] }
    - { role: nagios_client, tags: ['nagios_client'] }
    - { role: hosts, tags: ['hosts']}
-   - { role: fas_client, tags: ['fas_client'] }
+   - ipa/client
    - { role: collectd/base, tags: ['collectd_base'] }
    - { role: sudo, tags: ['sudo'] }
    - apache
 
   tasks:
-  - import_tasks: "{{ tasks_path }}/2fa_client.yml"
   - import_tasks: "{{ tasks_path }}/motd.yml"
 
   handlers: