samba - Sep 2011 - Domain Member keytabs invalid after Password Change

We have a 2008r2 AD domain.  We join Linux machines as domain members using
Samba with Winbind (I'll show all of my config files below).  This portion
of our setup works without failures of any kind.  However, some of these
machines are web servers for Intranet stuff and we'd like to have SSO
working.  For this, we use Apache (HTTPD) plus mod_auth_kerb (requires a
keytab file).  So, since we're already joining the machines to the domain
with Samba, we thought it would be smart to just generate the keytab files
with net ads.

export KRB5_KTNAME=FILE:/etc/www.keytab
net ads keytab create -Udomain-admin  (requires a password, so this can't be
scripted and run in cron)
net ads keytab add HTTP -Udomain-admin  (requires a password, so this can't
be scripted and run in cron)
unset KRB5_KTNAME
chown apache /etc/www.keytab
service httpd restart

However, when Samba changes the machine account's password (seemingly
randomly), those keytab files are no longer valid and have to be
regenerated.  Is there some way for those keytab files to be updated
automatically when Samba updates the machine account, or some setting to
stop Samba from updating that password?  And alternatively, are we doing
things in a completely wrong way?  I apologize for writing a book here, but
without all of the background info, you may not be able to help.  Here's my
config files for a machine:

----------------------------------

AD 2008 R2 domain controllers.  (ad.foo.com for example purposes)

CentOS 6 domain member:
[root at wolf ~]# yum list installed | grep samba
samba.x86_64          3.5.4-68.el6_0.2  @updates
samba-client.x86_64   3.5.4-68.el6_0.2  @updates
samba-common.x86_64   3.5.4-68.el6_0.2  @updates
samba-winbind.x86_64  3.5.4-68.el6_0.2  @updates
samba-winbind-clients.x86_64

krb5.conf
[logging]
 default = FILE:/var/log/krb5libs.log
 kdc = FILE:/var/log/krb5kdc.log
 admin_server = FILE:/var/log/kadmind.log

[libdefaults]
 default_realm = AD.FOO.COM
 dns_lookup_realm = true
 dns_lookup_kdc = true
 ticket_lifetime = 24h
 renew_lifetime = 7d
 forwardable = true
 clock_skew = 300
 default_tgs_enctypes = RC4-HMAC DES-CBC-CRC DES-CBC-MD5
 default_tkt_enctypes = RC4-HMAC DES-CBC-CRC DES-CBC-MD5
 default_tks_enctypes = RC4-HMAC DES-CBC-CRC DES-CBC-MD5
 preferred_enctypes = RC4-HMAC DES-CBC-CRC DES-CBC-MD5

[realms]
 EXAMPLE.COM = {
  kdc = kerberos.example.com
  admin_server = kerberos.example.com
 }

[domain_realm]
 .infotechfl.com = AD.FOO.COM
 infotechfl.com = AD.FOO.COM
 .ad.infotechfl.com = AD.FOO.COM
 ad.infotechfl.com = AD.FOO.COM

smb.conf
[global]
    workgroup = AD
    netbios name = Wolf
    server string = Wolf
    security = ADS
    realm = AD.FOO.COM

    encrypt passwords = yes
    smb passwd file = /etc/samba/smbpasswd
    allow trusted domains = yes
    unix password sync = yes
    passwd program = /usr/bin/passwd %u
    pam password change = no
    obey pam restrictions = yes
    socket options = TCP_NODELAY SO_RCVBUF=8192 SO_SNDBUF=8192
    dns proxy = no

    idmap uid = 1000-50000000
    idmap gid = 1000-50000000

    winbind separator = +
    winbind use default domain = yes
    winbind enum users = No
    winbind enum groups = No
    winbind nested groups = Yes
    template shell = /bin/bash
    template homedir = /home/%U

    winbind cache time = 3600
    winbind refresh tickets = yes
    winbind offline logon = false
    winbind refresh tickets = yes

    client NTLMv2 auth = yes
    restrict anonymous = 2
    disable netbios = no

    #handle charsets
    dos charset = ASCII
    unix charset = UTF8
    display charset = UTF8

    #kill printers
    load printers = no
    show add printer wizard = no
    printing = bsd
    printcap name = /dev/null
    disable spoolss = yes
[homes]
   comment = Home Directories
   read only = No
   browseable = no
   writable = yes


nsswitch.conf is pointing to winbind in the proper places and
/etc/pam.d/pertinent_files are looking at pam_winbind and are therefore not
affected.

Thanks,
Chase

Chase Whitener <chase.whitener at infotechfl.com> writes:
> We have a 2008r2 AD domain.  We join Linux machines as domain members using
> Samba with Winbind (I'll show all of my config files below).  This
portion
> of our setup works without failures of any kind.  However, some of these
> machines are web servers for Intranet stuff and we'd like to have SSO
> working.  For this, we use Apache (HTTPD) plus mod_auth_kerb (requires a
> keytab file).  So, since we're already joining the machines to the
domain
> with Samba, we thought it would be smart to just generate the keytab files
> with net ads.
>
> export KRB5_KTNAME=FILE:/etc/www.keytab
> net ads keytab create -Udomain-admin  (requires a password, so this
can't be
> scripted and run in cron)
> net ads keytab add HTTP -Udomain-admin  (requires a password, so this
can't
> be scripted and run in cron)
> unset KRB5_KTNAME
> chown apache /etc/www.keytab
> service httpd restart
>
> However, when Samba changes the machine account's password (seemingly
> randomly), those keytab files are no longer valid and have to be
> regenerated.  Is there some way for those keytab files to be updated
> automatically when Samba updates the machine account, or some setting to
> stop Samba from updating that password?  And alternatively, are we doing
> things in a completely wrong way?  I apologize for writing a book here, but
> without all of the background info, you may not be able to help. 
Here's my
> config files for a machine:
Hi Chase,

I did not see an answer to your question and would like to ask if you
received any help with your problem or solved it some other way.

Regards,

Dirk