To answer your two questions, every user and service does not need a keytab file and keytabs use symmetric key cryptography.
I’m going to explain a bit more based on my understanding on how keytabs are used in mixed networks of Windows and non-Windows systems using Active Directory as the directory service. If the directory service is something other than AD, which is the most popular directory service out there, then I am not as familiar with how the keytab would be used but I imagine the concepts would be the exact same since it is all based on Kerberos. Again, in enterprise networks, every user and service does not need a keytab file.
Keytabs are cryptographic files containing a representation of the service and its long-term key (what Samson referred to as the password) as it exists in the directory service. In an Active Directory realm, keytabs are especially useful for services running on a non-Windows platform protected by the Kerberos protocol.
Keytabs are used to either
- de-crypt the Kerberos service ticket of an inbound AD user to the service
- or authenticate the service itself to another service on the network.
Point #2 is especially useful, since as Samson said, a service cannot manually type in it’s password to authenticate itself, so the long-term key is helpfully encoded into the file. This is why the keytab file itself is sensitive and needs to be protected.
For additional in-depth information regarding keytabs, you can read more about keytabs here: Kerberos Keytabs – Explained.
I frequently go back and edit it based on questions I see here in this forum.