diff --git a/roles/ipaclient/defaults/main.yml b/roles/ipaclient/defaults/main.yml
index 892fac4258bbb01e59c2f84f2575d2a1a373c817..90a346347707d951af2d92c7e22d1311b667c3df 100644
--- a/roles/ipaclient/defaults/main.yml
+++ b/roles/ipaclient/defaults/main.yml
@@ -14,7 +14,7 @@ ipaclient_no_ssh: no
 ipaclient_no_sshd: no
 ipaclient_no_sudo: no
 #ipaclient_no_dns_sshfp: no
-#ipaclient_force: no
+ipaclient_force: no
 ipaclient_force_ntpd: no
 ipaclient_no_nisdomain: no
 ipaclient_configure_firefox: no
diff --git a/roles/ipaclient/library/ipaclient_setup_krb5.py b/roles/ipaclient/library/ipaclient_setup_krb5.py
new file mode 100644
index 0000000000000000000000000000000000000000..8ad5590ff5f1912af89514470701eda4d0b221c8
--- /dev/null
+++ b/roles/ipaclient/library/ipaclient_setup_krb5.py
@@ -0,0 +1,129 @@
+#!/usr/bin/python
+# -*- coding: utf-8 -*-
+
+# Authors:
+#   Thomas Woerner <twoerner@redhat.com>
+#
+# Based on ipa-client-install code
+#
+# Copyright (C) 2018  Red Hat
+# see file 'COPYING' for use and warranty information
+#
+# This program is free software; you can redistribute it and/or modify
+# it under the terms of the GNU General Public License as published by
+# the Free Software Foundation, either version 3 of the License, or
+# (at your option) any later version.
+#
+# This program is distributed in the hope that it will be useful,
+# but WITHOUT ANY WARRANTY; without even the implied warranty of
+# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+# GNU General Public License for more details.
+#
+# You should have received a copy of the GNU General Public License
+# along with this program.  If not, see <http://www.gnu.org/licenses/>.
+
+ANSIBLE_METADATA = {
+    'metadata_version': '1.0',
+    'supported_by': 'community',
+    'status': ['preview'],
+}
+
+DOCUMENTATION = '''
+---
+module: ipaclient_setup_krb5
+short description: Setup krb5 for IPA client
+description:
+  Setup krb5 for IPA client
+options:
+  server:
+  domain:
+  realm:
+  hostname:
+    description: The hostname of the machine to join (FQDN).
+    required: true
+author:
+    - Thomas Woerner
+'''
+
+EXAMPLES = '''
+# Backup and set hostname
+- name: Backup and set hostname
+  ipaclient_setup_krb5:
+    server:
+    domain:
+    realm:
+    hostname: client1.example.com
+'''
+
+RETURN = '''
+'''
+
+import os
+
+from ansible.module_utils.basic import AnsibleModule
+from ansible.module_utils.ansible_ipa_client import *
+
+def main():
+    module = AnsibleModule(
+        argument_spec = dict(
+            domain=dict(required=False, default=None),
+            servers=dict(required=False, type='list', default=None),
+            realm=dict(required=False, default=None),
+            hostname=dict(required=False, default=None),
+            kdc=dict(required=False, default=None),
+            dnsok=dict(required=False, type='bool', default=False),
+            client_domain=dict(required=False, default=None),
+            sssd=dict(required=False, type='bool', default=False),
+            force=dict(required=False, type='bool', default=False),
+            #on_master=dict(required=False, type='bool', default=False),
+        ),
+        supports_check_mode = True,
+    )
+
+    module._ansible_debug = True
+    servers = module.params.get('servers')
+    domain = module.params.get('domain')
+    realm = module.params.get('realm')
+    hostname = module.params.get('hostname')
+    kdc = module.params.get('kdc')
+    dnsok = module.params.get('dnsok')
+    client_domain = module.params.get('client_domain')
+    sssd = module.params.get('sssd')
+    force = module.params.get('force')
+    #on_master = module.params.get('on_master')
+
+    fstore = sysrestore.FileStore(paths.IPA_CLIENT_SYSRESTORE)
+
+    #if options.on_master:
+    #    # If on master assume kerberos is already configured properly.
+    #    # Get the host TGT.
+    #    try:
+    #        kinit_keytab(host_principal, paths.KRB5_KEYTAB, CCACHE_FILE,
+    #                     attempts=options.kinit_attempts)
+    #        os.environ['KRB5CCNAME'] = CCACHE_FILE
+    #    except gssapi.exceptions.GSSError as e:
+    #        logger.error("Failed to obtain host TGT: %s", e)
+    #        raise ScriptError(rval=CLIENT_INSTALL_ERROR)
+    #else:
+
+    # Configure krb5.conf
+    fstore.backup_file(paths.KRB5_CONF)
+    configure_krb5_conf(
+        cli_realm=realm,
+        cli_domain=domain,
+        cli_server=servers,
+        cli_kdc=kdc,
+        dnsok=dnsok,
+        filename=paths.KRB5_CONF,
+        client_domain=client_domain,
+        client_hostname=hostname,
+        configure_sssd=sssd,
+        force=force)
+
+    logger.info(
+        "Configured /etc/krb5.conf for IPA realm %s", realm)
+
+    module.exit_json(changed=True)
+
+if __name__ == '__main__':
+    main()
diff --git a/roles/ipaclient/tasks/install.yml b/roles/ipaclient/tasks/install.yml
index d89646a6ca8a4daff8893f3d22e7a8da16a77123..03c3910729f5d86269bdf41427c3807ad039a740 100644
--- a/roles/ipaclient/tasks/install.yml
+++ b/roles/ipaclient/tasks/install.yml
@@ -226,31 +226,18 @@
       preserve_sssd: "{{ ipassd_preserve_sssd }}"
       no_krb5_offline_passwords: "{{ ipassd_no_krb5_offline_passwords }}"
 
-  - name: Install - Configure krb5 for IPA realm "{{ result_ipaclient_test.realm }} <= 4.4"
-    include_role:
-      name: ipa-krb5
-    vars:
-      krb5_servers: "{{ result_ipaclient_test.servers if not result_ipaclient_test.dnsok or not result_ipaclient_test.kdc else [ ] }}"
-      krb5_realm: "{{ result_ipaclient_test.realm }}"
-      krb5_dns_lookup_realm: "{{ 'false' if not result_ipaclient_test.dnsok or not result_ipaclient_test.kdc else 'true' }}"
-      krb5_dns_lookup_kdc: "{{ 'false' if not result_ipaclient_test.dnsok or not result_ipaclient_test.kdc else 'true' }}"
-      krb5_default_domain: "{{ 'true' if not result_ipaclient_test.dnsok or not result_ipaclient_test.kdc else 'false' }}"
-      krb5_pkinit_anchors: "FILE:/etc/ipa/ca.crt"
-    when: not ipaclient_on_master | bool and result_ipaclient_test.ipa_python_version <= 40400
-
-  - name: Install - Configure krb5 for IPA realm "{{ result_ipaclient_test.realm }} > 4.4"
-    include_role:
-      name: ipa-krb5
-    vars:
-      krb5_servers: "{{ result_ipaclient_test.servers if not result_ipaclient_test.dnsok or not result_ipaclient_test.kdc else [ ] }}"
-      krb5_realm: "{{ result_ipaclient_test.realm }}"
-      krb5_dns_lookup_realm: "{{ 'false' if not result_ipaclient_test.dnsok or not result_ipaclient_test.kdc else 'true' }}"
-      krb5_dns_lookup_kdc: "{{ 'false' if not result_ipaclient_test.dnsok or not result_ipaclient_test.kdc else 'true' }}"
-      krb5_default_domain: "{{ 'true' if not result_ipaclient_test.dnsok or not result_ipaclient_test.kdc else 'false' }}"
-      krb5_dns_canonicalize_hostname: "false"
-      krb5_pkinit_pool: "FILE:/var/lib/ipa-client/pki/ca-bundle.pem"
-      krb5_pkinit_anchors: "FILE:/var/lib/ipa-client/pki/kdc-ca-bundle.pem"
-    when: not ipaclient_on_master | bool and result_ipaclient_test.ipa_python_version > 40400
+  - name: Install - Configure krb5 for IPA realm
+    ipaclient_setup_krb5:
+      realm: "{{ result_ipaclient_test.realm }}"
+      domain: "{{ result_ipaclient_test.domain }}"
+      servers: "{{ result_ipaclient_test.servers }}"
+      kdc: "{{ result_ipaclient_test.kdc }}"
+      dnsok: "{{ result_ipaclient_test.dnsok }}"
+      client_domain: "{{ result_ipaclient_test.client_domain }}"
+      hostname: "{{ result_ipaclient_test.hostname }}"
+      sssd: "{{ result_ipaclient_test.sssd }}"
+      force: "{{ ipaclient_force }}"
+      #on_master: "{{ ipaclient_on_master }}"
 
   - name: Install - IPA API calls for remaining enrollment parts
     ipaclient_api: