Dear Users,

i really love SSSD and also the auto-renewal of the host-keytab file.

On many hosts we add the SPNs

HTTP/

SQL/... 

directly to the machine-account in Active-Directory. This is all fine and works.

However i have a bad feeling about letting services read the keytab file as it gives access to the machine-account.

Opinions?

How do you handle service keytabs and it's rotation?

Thank you.

Stefan