of keytabs, kerberos and winbindd

David Mansfield samba at dm.cobite.com
Fri Jul 26 09:51:19 MDT 2013

Hi All,

The subject of this email is actually "borrowed" from a thread from June 
2012.  In that thread the logistics of having winbind synchronize the 
system keytab were discussed.  But I believe nothing was done, because 
this is my exact problem:

1) if "secrets" is kerberos method, winbind changes the password 
according to "machine password timeout" and the system keytab (assuming 
it's based on the extracted keytab for the "host/somehost.example.com" 
principal on the samba (or other) DC)  becomes stale.

2) if anything else is set as "kerberos method", winbind password 
changing is disabled. However, with "secrets and keytab" a "net ads 
changetrustpw" will update secrets and synchronize the keytab (e.g. 

I like the idea of winbind changing the password AND synchronizing the 
keytab, but it seems as though a weekly cron to do "net ads 
changetrustpw" would do the trick?

Do I have this basically correct?

(Of course I also learned that all of the keytabs for SPN created on the 
machine account share the same key and so all of them become invalid at 
the same time - but that is a separate issue!)

David Mansfield
Cobite, INC.

More information about the samba-technical mailing list