diff --git a/roles/samba-dc/files/krb5kdc.logrotate.conf b/roles/samba-dc/files/krb5kdc.logrotate.conf
new file mode 100644
index 0000000..d4abbd3
--- /dev/null
+++ b/roles/samba-dc/files/krb5kdc.logrotate.conf
@@ -0,0 +1,9 @@
+/var/log/krb5kdc.log /var/log/samba/mit_kdc.log {
+    missingok
+    notifempty
+    monthly
+    rotate 2
+    postrotate
+        pkill -HUP krb5kdc || true
+    endscript
+}
diff --git a/roles/samba-dc/tasks/main.yml b/roles/samba-dc/tasks/main.yml
index 309f755..9e5bc9a 100644
--- a/roles/samba-dc/tasks/main.yml
+++ b/roles/samba-dc/tasks/main.yml
@@ -117,3 +117,11 @@
     samba-tool domain exportkeytab /etc/krb5.keytab
     --principal=host/{{ ansible_fqdn }}
     creates=/etc/krb5.keytab
+
+- name: ensure logroate is configured for samba kdc
+  copy:
+    src: krb5kdc.logrotate.conf
+    dest: /etc/logrotate.d/krb5kdc
+    mode: u=rw,go=r
+  tags:
+  - logrotate