diff --git a/roles/kerberos/defaults/main.yml b/roles/kerberos/defaults/main.yml
new file mode 100644
index 0000000..b11971e
--- /dev/null
+++ b/roles/kerberos/defaults/main.yml
@@ -0,0 +1,6 @@
+krb5_dns_lookup_realm: false
+krb5_ticket_lifetime: 24h
+krb5_renew_lifetime: 7d
+krb5_forwardable: true
+krb5_rdns: false
+krb5_default_ccache_name: KEYRING:persistent:%{uid}
diff --git a/roles/kerberos/tasks/main.yml b/roles/kerberos/tasks/main.yml
new file mode 100644
index 0000000..dc0ad1e
--- /dev/null
+++ b/roles/kerberos/tasks/main.yml
@@ -0,0 +1,9 @@
+- name: ensure main kerberos configuration is set
+  template:
+    src=krb5.conf.j2
+    dest=/etc/krb5.conf
+- name: ensure kerberos configuration drop-in directory exists
+  file:
+    path=/etc/krb5.conf.d
+    mode=0755
+    state=directory
diff --git a/roles/kerberos/templates/krb5.conf.j2 b/roles/kerberos/templates/krb5.conf.j2
new file mode 100644
index 0000000..69fb5be
--- /dev/null
+++ b/roles/kerberos/templates/krb5.conf.j2
@@ -0,0 +1,14 @@
+includedir /etc/krb5.conf.d/
+
+[logging]
+default = FILE:/var/log/krb5libs.log
+kdc = FILE:/var/log/krb5kdc.log
+admin_server = FILE:/var/log/kadmind.log
+
+[libdefaults]
+dns_lookup_realm = {{ krb5_dns_lookup_realm|bool|string|lower }}
+ticket_lifetime = {{ krb5_ticket_lifetime }}
+renew_lifetime = {{ krb5_renew_lifetime }}
+forwardable = {{ krb5_forwardable|bool|string|lower }}
+rdns = {{ krb5_rdns|bool|string|lower }}
+default_ccache_name = {{ krb5_default_ccache_name }}