smbadm join overwrites /etc/krb5/krb5.keytab
When joining an Active Directory domain, the illumos smb server rather rudely overwrites an existing system keytab, destroying any existing entries. While one option might be to try and share the keytab, it seems cleaner for the smb server to store its domain keytab entries someplace else. This will be trivial to do, as the location of the smb server keytab is a simple define located in lib/smbsrv/libsmbns/common/smbns_krb.h
There are really only two questions, one generic to illumos and one distribution specific:
1. Where should the smb server specific keytab be located?
2. How should a distribution handle moving any existing keys when this update is applied to a running system?
Updated by Paul Henson over 4 years ago
Hmm, well, not as easy as initially thought; idmapd uses ldap via gssapi and accesses the default system keytab. There's no parameter or configuration mechanism to select a different keytab, although it looks like you might be able to set the global environment variable KRB5_KTNAME to make it use an alternate one. There might be other pieces hiding out that don't directly reference /etc/krb5/krb5.keytab but still use it, need to hunt some more.