We noticed during a recent decommissioning of a Kerberos enabled service (T266641: Test Alluxio as cache layer for Presto) that unmanaged keytab files are not purged from hosts.
This leads to a potential security issue whereby stray keytab files can be inadvertently left in place on servers, resulting in undesired levels of access.
It would be better if the entire /etc/security/keytabs/folder were recursively managed by puppet and any unmanaged files found there were removed.
From a comment by @MoritzMuehlenhoff on the linked task:
Given that /etc/security/keytabs is a directory we create in Puppet it seems safe to assume that only our keytabs end up there (and none shipped by debs or so).
So this sounds like a good idea. We can make sure that unmanaged keytabs are yanked by Puppet by adding "recurse => true" and "purge => true" to the file definition for /etc/security/keytabs declared in profile::kerberos::client.