diff --git a/ad-auth/defaults/main.yml b/ad-auth/defaults/main.yml
index 088dcded5e128e57a349e024e9cd2888244487d1..8ea448ab5b012d7275f69a273e302a3b79de1a5c 100644
--- a/ad-auth/defaults/main.yml
+++ b/ad-auth/defaults/main.yml
@@ -1,3 +1,4 @@
 ---
 
 ad_admin_group: admin
+ad_admin_password: samba-admin
diff --git a/ad-auth/tasks/sssd.yml b/ad-auth/tasks/sssd.yml
index d2983b97444a248b3edf3b2f19e7dc3d5baf0a60..ca1e74d34e002b404f8ea4ade7c7965d5bd3a561 100644
--- a/ad-auth/tasks/sssd.yml
+++ b/ad-auth/tasks/sssd.yml
@@ -28,7 +28,7 @@
     - name: discover our realm
       command: realm discover -v "{{ domain }}"
     - name: get a kerberos ticket
-      shell: echo "{{ lookup('passwordstore', 'samba-admin') }}" | kinit Administrator
+      shell: echo "{{ lookup('passwordstore', ad_admin_password) }}" | kinit Administrator
       when: debian_version == "jessie"
       no_log: True
     - name: ensure pexpect is installed
@@ -38,7 +38,7 @@
       expect:
         command: kinit Administrator
         responses:
-          "Password for Administrator.*": "{{ lookup('passwordstore', 'samba-admin') }}"
+          "Passwor(d|t) for Administrator.*": "{{ lookup('passwordstore', ad_admin_password) }}"
       when: debian_version == "stretch"
       no_log: True
     - name: leave any other realm