Ambari creates keytabs internally because it has details of the AD it is connecting to. However, how does ambari regenerate keytabs once the passwords expire at AD end? How does it ensure that the services dependent on those keytabs do not go down? Or all services have to be shut down when a new keytab is provisioned?
Correct, as the older TGT are now outdated, the services needs to be restarted to use the new keytab files and grab a new TGT. Ambari will do this for you when you regenerate the keytab files.