diff --git a/roles/ipaclient/tasks/install.yml b/roles/ipaclient/tasks/install.yml
index 8007b844318d114398f05029aba118c14eb5a5c9..3df5cff9e41cebde5c039162b31b95aa3a943c63 100644
--- a/roles/ipaclient/tasks/install.yml
+++ b/roles/ipaclient/tasks/install.yml
@@ -43,7 +43,6 @@
       kdc: "{{ ipadiscovery.kdc }}"
       kinit_attempts: "{{ ipaclient_kinit_attempts | default(omit) }}"
     register: ipatest
-    when: not ipaclient_on_master | bool
 
   - name: Install - Disable One-Time Password for client with working krb5.keytab
     set_fact:
@@ -84,13 +83,15 @@
 
     when: ipaclient_use_otp | bool
 
-  - name: Install - Check if principal and keytab are set
-    fail: msg="Principal and keytab cannot be used together"
-    when: ipaadmin_principal is defined and ipaadmin_principal != "" and ipaclient_keytab is defined and ipaclient_keytab != ""
+  - block:
+    - name: Install - Check if principal and keytab are set
+      fail: msg="Principal and keytab cannot be used together"
+      when: ipaadmin_principal is defined and ipaadmin_principal != "" and ipaclient_keytab is defined and ipaclient_keytab != ""
 
-  - name: Install - Check if one of password and keytab are set
-    fail: msg="At least one of password or keytab must be specified"
-    when: not ipatest.krb5_keytab_ok and (ipaadmin_password is undefined or ipaadmin_password == "") and (ipaclient_keytab is undefined or ipaclient_keytab == "")
+    - name: Install - Check if one of password and keytab are set
+      fail: msg="At least one of password or keytab must be specified"
+      when: not ipatest.krb5_keytab_ok and (ipaadmin_password is undefined or ipaadmin_password == "") and (ipaclient_keytab is undefined or ipaclient_keytab == "")
+    when: not ipaclient_on_master | bool
 
   - name: Install - Purge {{ ipadiscovery.realm }} from host keytab
     command: >
@@ -203,7 +204,7 @@
       realm: "{{ ipadiscovery.realm }}"
       basedn: "{{ ipadiscovery.basedn }}"
       allow_repair: "{{ ipaclient_allow_repair }}"
-    when: ipatest.krb5_keytab_ok and not ipatest.ca_crt_exists
+    when: not ipaclient_on_master | bool and ipatest.krb5_keytab_ok and not ipatest.ca_crt_exists
 
   - name: Install - Create IPA NSS database
     ipanss:
diff --git a/roles/ipaserver/tasks/install.yml b/roles/ipaserver/tasks/install.yml
index f621ecada80cf921a5e8508d6711bbe43a7fd1ce..de914c8bb9698c209734faf27500f629ea3b3c5b 100644
--- a/roles/ipaserver/tasks/install.yml
+++ b/roles/ipaserver/tasks/install.yml
@@ -324,16 +324,16 @@
       name: ipaclient
     vars:
       state: present
-      on_master: yes
-      domain: "{{ result_ipaserver_test.domain }}"
-      realm: "{{ result_ipaserver_test.realm }}"
-      server: "{{ result_ipaserver_test.hostname }}"
-      hostname: "{{ result_ipaserver_test.hostname }}"
-      #no_dns_sshfp: "{{ ipaclient_no_dns_sshfp }}"
-      #ssh_trust_dns: "{{ ipaclient_ssh_trust_dns }}"
-      #no_ssh: "{{ ipaclient_no_ssh }}"
-      #no_sshd: "{{ ipaclient_no_sshd }}"
-      mkhomedir: "{{ ipaclient_mkhomedir }}"
+      ipaclient_on_master: yes
+      ipaclient_domain: "{{ result_ipaserver_test.domain }}"
+      ipaclient_realm: "{{ result_ipaserver_test.realm }}"
+      ipaclient_server: "{{ result_ipaserver_test.hostname }}"
+      ipaclient_hostname: "{{ result_ipaserver_test.hostname }}"
+      #ipaclient_no_dns_sshfp: "{{ ipaclient_no_dns_sshfp }}"
+      #ipaclient_ssh_trust_dns: "{{ ipaclient_ssh_trust_dns }}"
+      #ipaclient_no_ssh: "{{ ipaclient_no_ssh }}"
+      #ipaclient_no_sshd: "{{ ipaclient_no_sshd }}"
+      #ipaclient_mkhomedir: "{{ ipaclient_mkhomedir }}"
 
   #- name: Install - Setup client
   #  command: >