In RHEL 7/8 if the account password used to realm join is changed on a schedule, do the kerb tickets stop refreshing? Or is the join password used ONLY at the time it's joined? We are working to eliminate service accounts, and many here remember this has always involved a service account with a static password. We are not clear if this is for a good reason, or just a legacy habit.
And a secondary question I can't seem to resolve is the kerb tickets failing to refresh because the request seems to be "example" instead of "example.group.com". I can't locate where you force the fqdn in sssd/kerb.
The password that you provide during join is a user (domain administrator) password that is only used to create the machine's domain account via LDAP.
In normal operation, SSSD uses the machine's own account to access the directory, using credentials from /etc/krb5.keytab to acquire tickets for LDAP access (you can run
klist -kto see its contents) and probably for Kerberos FAST armoring.The machine account has randomly generated keys (or a randomly generated password in the case of AD). Machine account passwords typically don't expire and AD DCs don't enforce the expiry policies to them, although SSSD can change the machine password monthly like Windows does.
In other words, the very purpose of a "domain join" in AD is primarily to set up a machine-specific account, so that you wouldn't need any kind of shared "LDAP client" service credentials to be deployed across all systems.