diff --git a/docs-xml/smbdotconf/security/syncmachinepasswordtokeytab.xml b/docs-xml/smbdotconf/security/syncmachinepasswordtokeytab.xml
index 4cad9da73f2..f7dc30023d4 100644
--- a/docs-xml/smbdotconf/security/syncmachinepasswordtokeytab.xml
+++ b/docs-xml/smbdotconf/security/syncmachinepasswordtokeytab.xml
@@ -18,7 +18,11 @@ or by winbindd doing regular updates (see <smbconfoption name="machine password
 </para>
 
 <para>
-The option takes a list of keytab strings. Each string has this form:
+The option takes a list of keytab strings to describe how to synchronize
+content of those keytabs or a single 'disabled' value to disable the
+synchronization.
+
+Each string has this form:
 <programlisting>
 absolute_path_to_keytab:spn_spec[:sync_etypes][:sync_kvno][:netbios_aliases][:additional_dns_hostnames][:machine_password]
 </programlisting>
@@ -70,8 +74,27 @@ If sync_etypes or sync_kvno or sync_spns is present then winbind connects to DC.
 </para>
 
 <para>
-If no value is present, winbind uses value <programlisting>/path/to/keytab:sync_spns:sync_kvno:machine_password</programlisting>
-where the path to the keytab is obtained either from the krb5 library or from <smbconfoption name="dedicated keytab file"/>
+If no value is present and <smbconfoption name="kerberos method"/> is different from
+'secrets only', the behavior differs between winbind and net utility:
+</para>
+<itemizedlist>
+        <listitem>
+                <para><userinput>winbind</userinput> uses value
+                      <programlisting>/path/to/keytab:sync_spns:sync_kvno:machine_password</programlisting>
+                      where the path to the keytab is obtained either from the krb5 library or from
+                      <smbconfoption name="dedicated keytab file"/>.
+                </para>
+        </listitem>
+        <listitem>
+                <para><userinput>net changesecretpw -f</userinput> command uses the default 'disabled' value.</para>
+        </listitem>
+        <listitem><para>No other <userinput>net</userinput> subcommands use the 'disabled' value.</para></listitem>
+</itemizedlist>
+
+<para>
+If a single value 'disabled' is present, the synchronization process is
+disabled. This is required for FreeIPA domain member setup where keytab
+synchronization uses a protocol not implemented by Samba.
 </para>
 
 <para>
diff --git a/source3/libads/kerberos_keytab.c b/source3/libads/kerberos_keytab.c
index 6ede567b75f..dbf8af44c1f 100644
--- a/source3/libads/kerberos_keytab.c
+++ b/source3/libads/kerberos_keytab.c
@@ -904,6 +904,11 @@ NTSTATUS sync_pw2keytabs(void)
 		goto params_ready;
 	}
 
+	if ((*lp_ptr != NULL) && strequal_m(*lp_ptr, "disabled")) {
+		DBG_DEBUG("'sync machine password to keytab' is explicitly disabled.\n");
+		return NT_STATUS_OK;
+	}
+
 	line = lp_ptr;
 	while (*line) {
 		DBG_DEBUG("Scanning line: %s\n", *line);
diff --git a/source3/utils/net.c b/source3/utils/net.c
index 7b40d2bee95..c432ebe991f 100644
--- a/source3/utils/net.c
+++ b/source3/utils/net.c
@@ -207,6 +207,14 @@ static int net_changesecretpw(struct net_context *c, int argc,
 		struct timeval tv = timeval_current();
 		NTTIME now = timeval_to_nttime(&tv);
 
+#ifdef HAVE_ADS
+		if (USE_KERBEROS_KEYTAB) {
+		   if (lp_sync_machine_password_to_keytab() == NULL) {
+			lp_do_parameter(-1, "sync machine password to keytab", "disabled");
+		   }
+		}
+#endif
+
 		if (c->opt_stdin) {
 			set_line_buffering(stdin);
 			set_line_buffering(stdout);
diff --git a/source3/utils/testparm.c b/source3/utils/testparm.c
index e3ed336a79a..a31a7a8a30a 100644
--- a/source3/utils/testparm.c
+++ b/source3/utils/testparm.c
@@ -803,7 +803,8 @@ static int do_global_checks(void)
 			"instead of 'kerberos method'.\n\n");
 	}
 
-	if (lp_ptr != NULL) {
+	if (lp_ptr != NULL &&
+	    ((*lp_ptr != NULL) && !strequal_m(*lp_ptr, "disabled"))) {
 		while (*lp_ptr) {
 			ret |= pw2kt_check_line(*lp_ptr++);
 		}