[Samba] pam+winbind and maintaining domain membership: keytab vs tickets

[Isaac Stone]

Hello. I am trying to clarify in my mind how winbind, pam and kerberos all
work. I am hoping to get some knowledge to help debug and ensure our samba
server keeps it's domain membership in the most robust way possible.

Background: We are using a samba server to serve a filesystem to windows
users. A group policy on the machines will automatically mount the
filesystem. Samba and all the windows machines are expected to always be
members of the same AD domin.

Situation:
Not having used kerberos before I was getting tickets and keytabs confused.
I start to think that in the current setup tickets are perhaps an
unnecessary complication. All that is really needed is a way to ensure the
samba server stays in the domain indefinitely and rejoins on reboot.

Currently we join the domain when we provision a server with the `net ads
join -U domainadmin`. After the domain join running `net ads keytab list`
will list keytabs with NETBIOS_NAME at OUR.DOMAIN as the principal. It seems
to work without running kinit or creating a ticket-granting-ticket.

So I think that having `winbind refresh tickets` in smb.conf is
unnecessary, and I can safely change `kerberos methos` to just `keytab`

Questions:
Is the keytab created when the `net ads join` command is run?
Is there a way to test the keytab is working? (other than restarting the
server)
Would this break if we had multiple servers configured with the same
NETBIOS_NAME?
Everything seems to work even if I stop the nmb daemon. I think this is
because we use the ip and not the netbios name in our mount scripts and
configuration. Is this correct?

I tried to find out all I could with google and reading the docs, but I am
still not sure I understand everything and would greatly appreciate some
clarity.

Thanks Much,
 - Isaac