diff --git a/roles/krb5-kdc-ldap/tasks/main.yml b/roles/krb5-kdc-ldap/tasks/main.yml
index 6f37107..63aaeb5 100644
--- a/roles/krb5-kdc-ldap/tasks/main.yml
+++ b/roles/krb5-kdc-ldap/tasks/main.yml
@@ -8,17 +8,17 @@
 
 - name: prepare krb5.conf
   template:
-    src: krb5.conf
+    src: krb5.conf.j2
     dest: /etc/krb5.conf
 
 - name: prepare kdc.conf
   template:
-    src: kdc.conf
+    src: kdc.conf.j2
     dest: /etc/krb5kdc/kdc.conf
 
 - name: prepare kadm5.acl
   template:
-    src: kadm5.acl
+    src: kadm5.acl.j2
     dest: /etc/krb5kdc/kadm5.acl
   notify: "restart krb5-admin-server"
 
@@ -141,6 +141,14 @@
   command: kadmin.local -q "add_policy default"
   when: not krb5kdc.stat.exists
 
+- name: create machine principal
+  command: kadmin.local -q "addprinc -randkey host/{{ ansible_hostname }}.{{ ldap_domain }}"
+  when: not krb5kdc.stat.exists
+
+- name: add principal to the keytab
+  command: kadmin.local -q "ktadd host/{{ ansible_hostname }}.{{ ldap_domain }}"
+  when: not krb5kdc.stat.exists
+
 - name: kerberize dummy user foo
   command: kadmin.local -q 'add_principal -pw {{ foo_pwd }} -x dn="uid=foo,ou=people,{{ basedn }}" foo'
   when: foo_pwd is defined
diff --git a/roles/krb5-kdc-ldap/templates/kadm5.acl b/roles/krb5-kdc-ldap/templates/kadm5.acl.j2
similarity index 72%
rename from roles/krb5-kdc-ldap/templates/kadm5.acl
rename to roles/krb5-kdc-ldap/templates/kadm5.acl.j2
index 1ddf3ff..c21d6b8 100644
--- a/roles/krb5-kdc-ldap/templates/kadm5.acl
+++ b/roles/krb5-kdc-ldap/templates/kadm5.acl.j2
@@ -1,4 +1,3 @@
 ## access controls for the Kerberos KDC
-root/admin@{{ ldap_domain | upper }} *
 *@{{ ldap_domain | upper }} cil
 */*@{{ ldap_domain | upper }} i
diff --git a/roles/krb5-kdc-ldap/templates/kdc.conf b/roles/krb5-kdc-ldap/templates/kdc.conf.j2
similarity index 100%
rename from roles/krb5-kdc-ldap/templates/kdc.conf
rename to roles/krb5-kdc-ldap/templates/kdc.conf.j2
diff --git a/roles/krb5-kdc-ldap/templates/krb5.conf b/roles/krb5-kdc-ldap/templates/krb5.conf.j2
similarity index 100%
rename from roles/krb5-kdc-ldap/templates/krb5.conf
rename to roles/krb5-kdc-ldap/templates/krb5.conf.j2
diff --git a/roles/ldap/tasks/main.yml b/roles/ldap/tasks/main.yml
index a775111..6b4a5d2 100644
--- a/roles/ldap/tasks/main.yml
+++ b/roles/ldap/tasks/main.yml
@@ -90,7 +90,7 @@
       userPassword: "{{ foo_pwd }}"
       uidNumber: 10000
       gidNumber: 10000
-      homeDirectory: /home/foo
+      homeDirectory: /home/lan/foo
     bind_dn: "cn=admin,{{ basedn }}"
     bind_pw: "{{ ldap_admin_pwd }}"
   when: foo_pwd is defined