diff --git a/inventory/group_vars/all b/inventory/group_vars/all
index 672272c439..6589affb85 100644
--- a/inventory/group_vars/all
+++ b/inventory/group_vars/all
@@ -210,6 +210,7 @@ fedora_required_images:
 wsgi_wants_apache: true
 
 # IPA settings
+additional_host_keytabs: []
 ipa_server: ipa01.phx2.fedoraproject.org
 ipa_realm: FEDORAPROJECT.ORG
 ipa_admin_password: "{{ ipa_prod_admin_password }}"
diff --git a/inventory/host_vars/pkgs02.phx2.fedoraproject.org b/inventory/host_vars/pkgs02.phx2.fedoraproject.org
index 89bf4a0dbe..e939980aa3 100644
--- a/inventory/host_vars/pkgs02.phx2.fedoraproject.org
+++ b/inventory/host_vars/pkgs02.phx2.fedoraproject.org
@@ -18,3 +18,6 @@ virt_install_command: "{{ virt_install_command_two_nic }}"
 
 host_backup_targets: ['/srv']
 nfs_mount_opts: "rw,hard,bg,intr,noatime,nodev,nosuid,nfsvers=4"
+
+additional_host_keytabs:
+- pkgs.fedoraproject.org
diff --git a/roles/base/tasks/keytab.yml b/roles/base/tasks/keytab.yml
index 0b46c9c654..a6f43cc2ba 100644
--- a/roles/base/tasks/keytab.yml
+++ b/roles/base/tasks/keytab.yml
@@ -29,6 +29,19 @@
   - krb5
   when: not host_keytab_status.stat.exists
 
+- name: Create additional host entries
+  delegate_to: "{{ ipa_server }}"
+  command: ipa host-add {{item}}
+  with_items: "{{ additional_host_keytabs }}"
+  register: hosts_add_result
+  changed_when: "'Added host' in hosts_add_result.stdout"
+  failed_when: "not ('Added host' in hosts_add_result.stdout or 'already exists' in hosts_add_result.stderr)"
+  tags:
+  - base
+  - config
+  - krb5
+  when: not host_keytab_status.stat.exists
+
 - name: Generate host keytab
   delegate_to: "{{ ipa_server }}"
   command: ipa-getkeytab -s {{ipa_server}} -p host/{{inventory_hostname}} -k /tmp/{{inventory_hostname}}.kt
@@ -41,6 +54,19 @@
   - krb5
   when: not host_keytab_status.stat.exists
 
+- name: Add additional host keytabs
+  delegate_to: "{{ ipa_server }}"
+  command: ipa-getkeytab -s {{ipa_server}} -p host/{{item}} -k /tmp/{{inventory_hostname}}.kt
+  with_items: "{{ additional_host_keytabs }}"
+  register: getkeytabs_result
+  changed_when: false
+  failed_when: "'successfully retrieved' not in getkeytabs_result.stderr"
+  tags:
+  - base
+  - config
+  - krb5
+  when: not host_keytab_status.stat.exists
+
 - name: Destroy kerberos ticket
   delegate_to: "{{ ipa_server }}"
   command: kdestroy -A