[Samba] keytab question.

[L.P.H. van Belle]

Hai, 
 
Im working on my dhcp server + dns setup with samba4.  
 
i've exported the keytabs 
 
samba-tool domain exportkeytab /home/krb5.keytab.samba4 
 
when i read the contents of this keytab
 
ktutil 
rkt /home/krb5.keytab.samba4 
list

   1    1             RTD-DC1$@INTERNAL.DOMAIN.TLD
   2    1             RTD-DC1$@INTERNAL.DOMAIN.TLD
   3    1             RTD-DC1$@INTERNAL.DOMAIN.TLD
   4    1        Administrator at INTERNAL.DOMAIN.TLD
   5    1        Administrator at INTERNAL.DOMAIN.TLD
   6    1        Administrator at INTERNAL.DOMAIN.TLD
   7    1          dns-RTD-DC1 at INTERNAL.DOMAIN.TLD
   8    1          dns-RTD-DC1 at INTERNAL.DOMAIN.TLD
   9    1          dns-RTD-DC1 at INTERNAL.DOMAIN.TLD
  10    1               krbtgt at INTERNAL.DOMAIN.TLD
  11    1               krbtgt at INTERNAL.DOMAIN.TLD
  12    1               krbtgt at INTERNAL.DOMAIN.TLD
 
  
and i look at : The keytab samba genereted.  
  ktutil
  rkt /var/lib/samba/private/secrets.keytab
  list
   1    1         HOST/rtd-dc1 at INTERNAL.DOMAIN.TLD
   2    1 HOST/rtd-dc1.INTERNAL.DOMAIN.TLD at INTERNAL.DOMAIN.TLD
   3    1             RTD-DC1$@INTERNAL.DOMAIN.TLD
   4    1         HOST/rtd-dc1 at INTERNAL.DOMAIN.TLD
   5    1 HOST/rtd-dc1.INTERNAL.DOMAIN.TLD at INTERNAL.DOMAIN.TLD
   6    1             RTD-DC1$@INTERNAL.DOMAIN.TLD
   7    1         HOST/rtd-dc1 at INTERNAL.DOMAIN.TLD
   8    1 HOST/rtd-dc1.INTERNAL.DOMAIN.TLD at INTERNAL.DOMAIN.TLD
   9    1             RTD-DC1$@INTERNAL.DOMAIN.TLD
  10    1         HOST/rtd-dc1 at INTERNAL.DOMAIN.TLD
  11    1 HOST/rtd-dc1.INTERNAL.DOMAIN.TLD at INTERNAL.DOMAIN.TLD
  12    1             RTD-DC1$@INTERNAL.DOMAIN.TLD
  13    1         HOST/rtd-dc1 at INTERNAL.DOMAIN.TLD
  14    1 HOST/rtd-dc1.INTERNAL.DOMAIN.TLD at INTERNAL.DOMAIN.TLD
  15    1             RTD-DC1$@INTERNAL.DOMAIN.TLD
 
 
in the krb5.conf i need to define the default keytab name 
 
 default_keytab_name = FILE:/etc/krb5.keytab

but now the question, which keytab should i use? 
I know i have to configure our DNS server to support dynamic DNS updates in the clear (insecure) by using the allow-update directive
 
i've seen the update policy 
 
cat /var/lib/samba/private/named.conf.update
/* this file is auto-generated - do not edit */
update-policy {
        grant INTERNAL.DOMAIN.TLD ms-self * A AAAA;
        grant Administrator at INTERNAL.DOMAIN.TLD wildcard * A AAAA SRV CNAME;
        grant RTD-DC1$@INTERNAL.DOMAIN.TLD wildcard * A AAAA SRV CNAME;
};


but i was thinking i needed the user : dns-RTD-DC1 at INTERNAL.DOMAIN.TLD
this is the "logical" to pik. 
 
so, whats advided, and what do you use? 
 
 
this part is not clear for me. 
 
Best regards, 
 
Louis