Refresh default kerberos keytab (usually /etc/krb5.keytab)
on each machine password change. Without it machine password
changes break non-samba krb5 auth.

Index: samba-3.6.6/source3/winbindd/winbindd_dual.c
===================================================================
--- samba-3.6.6.orig/source3/winbindd/winbindd_dual.c	2012-06-24 17:21:16.000000000 +0000
+++ samba-3.6.6/source3/winbindd/winbindd_dual.c	2014-02-25 15:12:53.762149486 +0000
@@ -36,6 +36,7 @@
 #include "system/select.h"
 #include "messages.h"
 #include "../lib/util/tevent_unix.h"
+#include "ads.h"
 
 #undef DBGC_CLASS
 #define DBGC_CLASS DBGC_WINBIND
@@ -1031,6 +1032,31 @@
 		   "trust_pw_find_change_and_store_it returned %s\n",
 		   nt_errstr(result)));
 
+	/**
+	 * Refresh kerberos keytab to not break other applications
+	 * Run from under the machine account, like 'net ads keytab create -P'
+	 */
+	if (NT_STATUS_IS_OK(result) && USE_KERBEROS_KEYTAB) {
+		ADS_STRUCT *ads = ads_init(lp_realm(), lp_workgroup(), NULL);
+		if (ads) {
+			ADS_STATUS status;
+			ads->auth.user_name = smb_xstrdup(global_myname());
+			ads->auth.realm = smb_xstrdup(lp_realm());
+			ads->auth.password = secrets_fetch_machine_password(lp_workgroup(), NULL, NULL);
+			status = ads_connect(ads);
+			if (ADS_ERR_OK(status)) {
+				if (ads_keytab_create_default(ads)) {
+					DEBUG(0,("failed to refresh keytab - raise log level to see details\n"));
+				}
+			} else {
+				DEBUG(0,("failed to refresh keytab - ads_connect() returned %s\n", ads_errstr(status)));
+			}
+			ads_destroy(&ads);
+		} else {
+			DEBUG(0,("failed to refresh keytab - ads_init() failed\n"));
+		}
+	}
+
 	if (NT_STATUS_EQUAL(result, NT_STATUS_ACCESS_DENIED) ) {
 		DEBUG(3,("machine_password_change_handler: password set returned "
 			 "ACCESS_DENIED.  Maybe the trust account "
@@ -1445,7 +1471,6 @@
 	}
 
 	if (child->domain && child->domain->primary &&
-	    !USE_KERBEROS_KEYTAB &&
 	    lp_server_role() == ROLE_DOMAIN_MEMBER) {
 
 		struct timeval next_change;