But in the meantime, I'd like to announce version 0.4 of a tool called msktutil. It allows you to conveniently create and manage computer objects (that is: kerberos accounts for your computer) in Active Directory, while also writing out and managing the keytab. This allows much easier provisioning of machines, including a keytab suitable for kerberized ssh.
I use it like this (holding valid kerberos tickets that can add hosts to AD):
for hostname in $hostnames; do msktutil --precreate -h $hostname -s host done
to create a bunch of accounts. Then, on each machine, there's a daily cron job which runs
which checks if the keytab needs to be updated, either because it's missing or because the password needs to be rotated (when it's 30 days old). I also run that at install time. And that doesn't need any credentials besides the keytab itself.
See the man page for more usage info.
Also, a shout-out: this tool was not written by me; I am simply continuing the work of those who came before me. It was originally written by Dan Perry, and over the years since, updated by Brian Elliott Finley and Doug Engert. Many thanks to each of them.
BTW: if anyone knows anything about debian packaging, it would be nice if you could fix it up for me. I'm no expert, but I'm pretty sure the packaging scripts in there now show their age, and are sorely due for an update. Have a Git repository if you like. Patches welcome. :)