Dear Users,
i really love SSSD and also the auto-renewal of the host-keytab file.
On many hosts we add the SPNs
HTTP/
SQL/...
directly to the machine-account in Active-Directory. This is all fine and works.
However i have a bad feeling about letting services read the keytab file as it gives access to the machine-account.
Opinions?
How do you handle service keytabs and it's rotation?
Thank you.
Stefan