[Samba] keytabs vs. secret store

[Brian Jones]

Which is the preferred method of handling service principals when the
samba server is an ads member -- turning
on "use kerberos keytab" in smb.conf, or the default secrets.tdb?
Is there any particular reason I should use one over the other?

Also, all I see in secrets.tdb is the the machine password while in
krb5.keytab i see 100+ principals corresponding to various combinations
of instance and enctype.  Is the password in the secret
store used to generate keys which are kept in memory?  
Thanks,
-brian