diff --git a/roles/krb5/defaults/main.yml b/roles/krb5/defaults/main.yml
new file mode 100644
index 0000000000000000000000000000000000000000..acc70a2af7fd7f3c10076832941d838229d98968
--- /dev/null
+++ b/roles/krb5/defaults/main.yml
@@ -0,0 +1,14 @@
+---
+krb5_conf: /etc/krb5.conf
+krb5_conf_d: /etc/krb5.conf.d/ #paths.COMMON_KRB5_CONF_DIR
+krb5_include_d: /var/lib/sss/pubconf/krb5.include.d/ #paths.SSSD_PUBCONF_KRB5_INCLUDE_D_DIR
+krb5_packages: krb5-workstation
+
+krb5_realm:
+krb5_servers:
+krb5_dns_lookup_realm: "false"
+krb5_dns_lookup_kdc: "false"
+krb5_default_ccache_name: KEYRING:persistent:%{uid}
+
+krb5_pkinit_anchors: FILE:/var/lib/ipa-client/pki/kdc-ca-bundle.pem
+krb5_pkinit_pool: FILE:/var/lib/ipa-client/pki/ca-bundle.pem
diff --git a/roles/krb5/meta/main.yml b/roles/krb5/meta/main.yml
new file mode 100644
index 0000000000000000000000000000000000000000..e63afec23b70dbfab2e70da7d31575a5552ae87d
--- /dev/null
+++ b/roles/krb5/meta/main.yml
@@ -0,0 +1,12 @@
+galaxy_info:
+  author: Thomas Woerner
+  description: A role to configure krb5
+  company: Red Hat, Inc
+
+  license: GPLv2+
+
+  min_ansible_version: 2.0
+
+  galaxy_tags: [ 'identity', 'ipa']
+
+dependencies: []
diff --git a/roles/krb5/tasks/main.yml b/roles/krb5/tasks/main.yml
new file mode 100644
index 0000000000000000000000000000000000000000..722678b0be17bb97f7e75a45c8fb5d7cbd2abf5b
--- /dev/null
+++ b/roles/krb5/tasks/main.yml
@@ -0,0 +1,20 @@
+---
+- name: Install {{ krb5_packages }}
+  package: name="{{ item }}" state=present
+  with_items: "{{ krb5_packages }}"
+
+# No backup in ipa-client-install mode
+#- name: Backup {{ krb5_conf }}
+#  copy:
+#    src: "{{ krb5_conf }}"
+#    dest: "{{ krb5_conf }}.bkp"
+#    force: no
+
+- name: Template krb5.conf
+  template:
+    src: krb5.conf.j2
+    dest: /etc/krb5.conf
+    backup: yes
+    owner: root
+    group: root
+    mode: 0644
diff --git a/roles/krb5/templates/krb5.conf.j2 b/roles/krb5/templates/krb5.conf.j2
new file mode 100644
index 0000000000000000000000000000000000000000..2401bd84da301b0b99a679bdea90cc088eb99a92
--- /dev/null
+++ b/roles/krb5/templates/krb5.conf.j2
@@ -0,0 +1,31 @@
+includedir {{ krb5_conf_d }}
+includedir {{ krb5_include_d }}
+
+[libdefaults]
+  default_realm = {{ krb5_realm | upper }}
+  dns_lookup_realm = {{ krb5_dns_lookup_realm }}
+  dns_lookup_kdc = {{ krb5_dns_lookup_kdc }}
+  rdns = false
+  dns_canonicalize_hostname = false
+  ticket_lifetime = 24h
+  forwardable = true
+  udp_preference_limit = 0
+  default_ccache_name = {{ krb5_default_ccache_name }}
+
+[realms]
+  {{ krb5_realm | upper }} = {
+{% for server in krb5_servers %}
+    kdc = {{ server }}:88
+    master_kdc = {{ server }}:88
+    admin_server = {{ server }}:749
+    kpasswd_server = {{ server }}:464
+{% endfor %}
+    default_domain = {{ krb5_realm | lower }}
+    pkinit_anchors = {{ krb5_pkinit_anchors }}
+    pkinit_pool = {{ krb5_pkinit_pool }}
+  }
+
+[domain_realm]
+  .{{ krb5_realm | lower }} = {{ krb5_realm | upper }}
+  {{ krb5_realm | lower }} = {{ krb5_realm | upper }}
+  {{ ansible_host | lower }} = {{ krb5_realm | upper }}
diff --git a/roles/krb5/vars/default.yml b/roles/krb5/vars/default.yml
new file mode 100644
index 0000000000000000000000000000000000000000..fa18717baa638da7af8b3d9a914d8a72d1d0b2c6
--- /dev/null
+++ b/roles/krb5/vars/default.yml
@@ -0,0 +1,2 @@
+krb5_packages:
+  - krb5-workstation