[Samba] Keytabs (obviously) not valid after password change

[George]

Hi team,

I recently deployed some member servers on a Samba4 AD domain, using sssd
for consistent idmapping between servers. Everything works flawlessly,
except that this time I decided to use the member server's machine account
keytab.

I noticed that every 7 days, the keytab "expires" and sssd cannot auth
anymore against the AD. This is related to the fact that by default, every
7 days Samba changes the machine account password which drives the keytab
unusable.

So what would be a *recommended* current best practice here?? Things that
come to mind:

* Use the domain controller account keytab instead, which doesn't seem to
expire (does it? Anyway it sounds like a BAD idea)
* Use a keytab from a user account with the "password never expires" option
enabled
* Set machine password timeout = 0 (my current workaround)
* Set kerberos method = secrets and keytab (it seems that the machine
account password doesn't get changed when this is set. Still, I don't
really auth anything directly towards winbind/kerberos so this shouldn't be
needed)

Perhaps the keytab updating should be done by Samba itself? (see bug 6750).
Any status on whether this is getting into mainstream?

Best regards.

George