Following two documents from Red Hat explains the process of adding servers to AD domain. RHEL versions are different but steps are applicable to both.
Step 3-d, system is added to domain, then keys in host keytab are listed to make sure host principal keys are there:
# klist -k
Instructions in this document do not ask for obtaining TGT using the host keytab.
Per page 61 step 7 of "https://access.redhat.com/sites/default/files/attachments/rhel-ad-integration-deployment-guidelines-v1.5.pdf" , a host based TGT is obtained by running:
# kinit -k <hostname>$
Where do we use this host based TGT?
With or without host TGT I am able to add Linux servers to AD domain and have users login using their AD credentials.
Does it play any role in renewal of host keytab when AD rotates the machine password every 30 days?
Another related question is, when I list the host keys, I see expired (and renewal date is past) ticket still listed:
# klist
Ticket cache: FILE:/tmp/krb5cc_0
Default principal: TESTHOST$@AD.EXAMPLE.COM
Valid starting Expires Service principal
06/10/17 12:59:41 06/10/17 22:59:41 krbtgt/AD.EXAMPLE.COM@AD.EXAMPLE.COM
renew until 06/11/17 12:59:41
# date
Mon Jun 12 14:14:21 UTC 2017
Is it normal for klist to print expired host tickets? When does klist drop them from printing?
Thanks
