diff --git a/handlers/ipa.yml b/handlers/ipa.yml
new file mode 100644
index 0000000000..deec669d50
--- /dev/null
+++ b/handlers/ipa.yml
@@ -0,0 +1,7 @@
+########################
+# Handlers for IPA stuff
+#
+
+# This is used to combine the IPA keytabs for local host and id.fp.o
+- name: combine IPA http keytabs
+  shell: printf "%b" "read_kt /etc/httpd/conf/ipa.keytab\nread_kt /etc/krb5.HTTP_id{{env_suffix}}.fedoraproject.org.keytab\nwrite_kt /etc/krb5.HTTP_id{{env_suffix}}.fedoraproject.org.keytab.combined" | ktutil
diff --git a/playbooks/groups/ipa.yml b/playbooks/groups/ipa.yml
index b75144976b..177d586272 100644
--- a/playbooks/groups/ipa.yml
+++ b/playbooks/groups/ipa.yml
@@ -46,28 +46,13 @@
     owner_user: apache
     owner_group: apache
     service: HTTP
-    host: "id.stg.fedoraproject.org"
-    when: env == "staging"
-  - role: keytab/service
-    owner_user: apache
-    owner_group: apache
-    service: HTTP
-    host: "id.fedoraproject.org"
-    when: env == "production"
-
-  tasks:
-  #- name: Make symlink for keytab
-  #  file: state=link path=/etc/httpd/conf/ipa.keytab force=yes
-  #        src="/etc/krb5.HTTP_id{{env_suffix}}.fedoraproject.org.keytab"
-  #  notify:
-  #  - reload httpd
-  #  tags:
-  #  - ipa/server
-  #  - krb5
-  #  when: env == "staging"
+    host: "id{{env_suffix}}.fedoraproject.org"
+    notify:
+    - combine IPA http keytabs
 
   handlers:
   - include: "{{ handlers }}/restart_services.yml"
+  - include: "{{ handlers }}/ipa.yml"
 
 - name: do base role once more to revert any resolvconf changes
   hosts: ipa:ipa-stg