This option allows you to describe what keytabs and how should be updated when machine account is changed via one of these commands wbinfo --change-secret rpcclient --machine-pass -c change_trust_pw net rpc changetrustpw net ads changetrustpw or by winbindd doing regular updates (see ) The option takes a list of keytab strings to describe how to synchronize content of those keytabs or a single 'disabled' value to disable the synchronization. Each string has this form: absolute_path_to_keytab:spn_spec[:spn_spec]*[:sync_etypes][:sync_kvno][:netbios_aliases][:additional_dns_hostnames][:machine_password] spn_spec can be specified multiple times (separated using ':') and each spn_spec can have exactly one of these forms: account_name sync_account_name sync_upn sync_spns spn_prefixes=value1[,value2[...]] spns=value1[,value2[...]] Every keytab contains principals according the specification below: account_name - COMPUTER$@REALM sync_account_name - uses attribute "sAMAccountName" from AD sync_upn - uses attribute "userPrincipalName" (if exists in AD) sync_spns - uses attribute "servicePrincipalName" (if exists in AD) spn_prefixes - creates these two principals from each prefix. e.g.: prefix/@REALM prefix/@REALM with :netbios_aliases for each netbiosalias in prefix/netbiosalias@REALM prefix/netbiosalias.dnsdomain@REALM with :additional_dns_hostnames for each additionaldnshostname in prefix/additionaldnshostname@REALM - 'host' principal should be created using specifier spn_prefixes spns - creates only the principals defined in the list 'account_name' and 'sync_account_name' are the same, just the source differs (secrets.tdb vs. AD). Options: sync_etypes - attribute "msDS-SupportedEncryptionTypes" is read from AD and is used to find the highest common enc type for AD and KRB5 lib. sync_kvno - attribute "msDS-KeyVersionNumber" from AD is used to set KVNO. If this option is missing, KVNO is set to -1. netbios_aliases - evaluated only for spn_prefixes (see details above). additional_dns_hostnames - evaluated only for spn_prefixes (see details above). machine_password - mandatory, if missing the entry is ignored. For future use. Example: "/path/to/keytab0:account_name:machine_password", "/path/to/keytab1:account_name:sync_etypes:sync_kvno:machine_password", "/path/to/keytab2:sync_spns:machine_password", "/path/to/keytab3:sync_spns:sync_kvno:machine_password", "/path/to/keytab4:spn_prefixes=imap,smtp:machine_password", "/path/to/keytab5:spn_prefixes=imap,smtp:netbios_aliases:additional_dns_hostnames:sync_kvno:machine_password", "/path/to/keytab6:spns=wurst/brot@REALM:machine_password", "/path/to/keytab7:spns=wurst/brot@REALM,wurst2/brot@REALM:sync_kvno:machine_password", "/path/to/keytab8:sync_account_name:sync_upn:sync_spns:spn_prefixes=host,cifs,http:spns=wurst/brot@REALM:sync_kvno:machine_password" If sync_etypes or sync_kvno or sync_spns is present then winbind connects to DC. For "offline domain join" it might be useful not to use these options. If no value is present and is different from 'secrets only', the behavior differs between winbind and net utility: winbind uses value /path/to/keytab:host:account_name:sync_spns:sync_kvno:machine_password where the path to the keytab is obtained either from the krb5 library or from . net changesecretpw -f command uses the default 'disabled' value. No other net subcommands use the 'disabled' value. If a single value 'disabled' is present, the synchronization process is disabled. This is required for FreeIPA domain member setup where keytab synchronization uses a protocol not implemented by Samba. Suggested configuration is together with set to the default value 'secrets only'. In clustered environments it is recommended to set to update the machine password on all nodes.