diff --git a/README.md b/README.md
index de0f764b2c0bf971a2c39a074389199ba286faeb..9004805bacbc8ce4fcadfa55935089cc7b575f9e 100644
--- a/README.md
+++ b/README.md
@@ -31,7 +31,7 @@ Requirements
 
 **Controller**
 * Ansible version: 2.5+
-* python3-gssapi is required on the controller if a one time password (OTP) is used to install the client.
+* python3-gssapi is required on the controller if a one time password (OTP) is used with keytab to install the client.
 
 **Node**
 * Supported FreeIPA version (see above)
diff --git a/roles/ipaclient/action_plugins/ipaclient_get_otp.py b/roles/ipaclient/action_plugins/ipaclient_get_otp.py
index 3c480ecdd55c9c2f172f6f76ffdd5eff0eb1442b..c0c5aec6c7c60410155200cc82d83f9cd132901b 100644
--- a/roles/ipaclient/action_plugins/ipaclient_get_otp.py
+++ b/roles/ipaclient/action_plugins/ipaclient_get_otp.py
@@ -17,7 +17,10 @@
 # You should have received a copy of the GNU General Public License
 # along with this program.  If not, see <http://www.gnu.org/licenses/>.
 
-import gssapi
+try:
+    import gssapi
+except ImportError:
+    gssapi = None
 import os
 import shutil
 import subprocess
@@ -76,6 +79,9 @@ def kinit_keytab(principal, keytab, ccache_name, config):
     Perform kinit using principal/keytab, with the specified config file
     and store the TGT in ccache_name.
     """
+    if gssapi is None:
+        raise ImportError("gssapi is not available")
+
     old_config = os.environ.get('KRB5_CONFIG')
     os.environ['KRB5_CONFIG'] = config
     try: