Slightly request in SSSD: https://fedorahosted.org/sssd/ticket/1041 ([RFE] Support Automatic Renewing of Kerberos Host Keytabs). But this is for the keytabs, master key is a whole different story.

notes from triage:

• MK: (Simo, ) how possible is it? Do we have any POC how it was done in the past?
  • not possible immediately, I have plans to move the kerberos master key back to be a real keytab and use custodia to transfer it. But we will also need to change the password plugin as it will not have access to the master password anymore.
    • not short term
• MK: Aren't kerberos keys in LDAP encoded with this key, i.e. all would need to be re-keyed + there would ideally need to be keys encoded with 2 different master keys at the same time?
  • No, password rotation is explicitly supported by the KDC, it will re-encrypt keys from old master key to new in time (it means old and new key are available at the same time for a period). But care needs to be taken to identify when all uses of the older key have ceased and all remaining keys are encrypted in the new key. It is not mean to be used with fully automatic rotation, but we can think of some way of forcing that in a reasonable short period of time.

Linked to Bugzilla bug: https://bugzilla.redhat.com/show_bug.cgi?id=1286226 (Red Hat Enterprise Linux 7)

Moving back, it is still considered for 4.4.

Thank you taking time to submit this request for FreeIPA. Unfortunately this bug was not given priority and the team lacks the capacity to work on it at this time.

Given that we are unable to fulfil this request I am closing the issue as wontfix. To request re-consideration of this decision please reopen this issue and provide additional technical details about its importance to you.