diff --git a/NEWS b/NEWS
index a7007fec819fd3f9aa7c48a9ba4060d24d28cbc3..826acbb69f4b00f68491b3d73a0f92ee2d92a702 100644
--- a/NEWS
+++ b/NEWS
@@ -1,3 +1,7 @@
+release/005.006 (2017-02-16)
+
+    [kerberos] Add support for the new kerberos environment 'qa'. [adamhl]
+
 release/005.005 (2017-02-02)
 
     [kerberos] Add the option rdns_enabled so that Kerberos can be
diff --git a/manifests/kerberos.pp b/manifests/kerberos.pp
index 8f41cda85756e15134213f608cf54465ce016ec2..5aed890ca6c0535bff16daf8a0004186cf220157 100644
--- a/manifests/kerberos.pp
+++ b/manifests/kerberos.pp
@@ -17,20 +17,23 @@
 # **********************************************************************
 #
 #
-# $krb_env: Which kerberos environment to use. Must be one of:
-#   'prod', 'uat', or 'test'.
+# $krb_env:
+#   Which kerberos environment to use. Must be one of:
+#   'prod', 'uat', 'qa', or 'test'.
 #   Default: 'prod'
 #
-# $prefer_tcp: Normal kerberos traffic uses UDP, but some applications
+# $prefer_tcp:
+#   Normal kerberos traffic uses UDP, but some applications
 #   (lookin' at you Java!) work better with TCP. Set this parameter to
 #   "true" to force the client to prefer TCP to UDP.
 #   Default: false
 #
-# $rdns_enabled: if 'true' have the Kerberos client do a reverse DNS
-# lookup on the hostname when connecting to a server. This should be set
-# to 'false' if you want the client to be able to connect to services where
-# the service name's IP address PTR record may not match the hostname
-# (e.g., for services running in Amazon Web Services).
+# $rdns_enabled:
+#   If 'true' have the Kerberos client do a reverse DNS lookup on the
+#   hostname when connecting to a server. This should be set to 'false' if
+#   you want the client to be able to connect to services where the service
+#   name's IP address PTR record may not match the hostname (e.g., for
+#   services running in Amazon Web Services).
 #   Default: true
 class base::kerberos(
   $prefer_tcp   = false,
@@ -40,7 +43,7 @@ class base::kerberos(
 
   # We only allow the 'prod', 'uat', and 'test' environments.
   case $krb_env {
-    'prod', 'uat', 'test': {}
+    'prod', 'uat', 'test', 'qa': {}
     default: { fail("unrecognized kerberos environment '${krb_env}'") }
   }
 
diff --git a/templates/kerberos/krb5.conf.erb b/templates/kerberos/krb5.conf.erb
index 808b995aa3245d5c459df4442cc6a30be9916286..387229183c0d1066c05a9ab0b21ebf67ac6e6cad 100644
--- a/templates/kerberos/krb5.conf.erb
+++ b/templates/kerberos/krb5.conf.erb
@@ -76,6 +76,14 @@ elsif (@krb_env == 'test') then
         admin_server   = kerberos-test.stanford.edu
         kpasswd_server = kerberos-test.stanford.edu
 <%
+elsif (@krb_env == 'qa') then
+-%>
+        kdc            = kerberos-qa2.stanford.edu:88
+        kdc            = kerberos-qa1.stanford.edu:88
+        master_kdc     = master-kdc-qa.stanford.edu:88
+        admin_server   = master-kdc-qa.stanford.edu
+        kpasswd_server = master-kdc-qa.stanford.edu
+<%
 else
   if (@drSite) then
 -%>