diff --git a/roles/kerberos/keytab/defaults/main.yml b/roles/kerberos/keytab/defaults/main.yml
new file mode 100644
index 0000000..9c85390
--- /dev/null
+++ b/roles/kerberos/keytab/defaults/main.yml
@@ -0,0 +1,2 @@
+---
+group: "{{ ansible_wheel }}"
diff --git a/roles/kerberos/keytab/tasks/main.yml b/roles/kerberos/keytab/tasks/main.yml
new file mode 100644
index 0000000..7daae01
--- /dev/null
+++ b/roles/kerberos/keytab/tasks/main.yml
@@ -0,0 +1,35 @@
+---
+- name: check if keytab exists
+  stat:
+    path: "{{ keytab }}"
+  register: keytab_status
+  check_mode: false
+
+- block:
+    - block:
+        - name: check if principal exists
+          command: "kadmin.local getprinc {{ item }}"
+          with_items: "{{ principals }}"
+          check_mode: false
+        - name: "add principal to keytab"
+          command: "kadmin.local ktadd -k /tmp/{{ inventory_hostname }}.kt \
+            {{ item }}"
+          with_items: "{{ principals }}"
+        - name: get keytab
+          command: "base64 /tmp/{{ inventory_hostname }}.kt"
+          register: keytab_data
+        - name: delete temporary file
+          file:
+            path: "/tmp/{{ inventory_hostname }}.kt"
+            state: absent
+      delegate_to: ldap01.home.foo.sh
+    - name: deploy keytab file
+      shell: "umask 077 && echo '{{ keytab_data.stdout }}' | base64 -d > {{keytab }}"
+  when: not keytab_status.stat.exists
+
+- name: check keytab permissions
+  file:
+    path: "{{ keytab }}"
+    mode: "{% if group == ansible_wheel %}0600{% else %}0640{% endif %}"
+    owner: root
+    group: "{{ group }}"