diff --git a/docs-xml/manpages/net.8.xml b/docs-xml/manpages/net.8.xml
index e633c8c7c6a..f388644172f 100644
--- a/docs-xml/manpages/net.8.xml
+++ b/docs-xml/manpages/net.8.xml
@@ -1548,12 +1548,33 @@ to show in the result.
ADS KEYTAB <replaceable>CREATE</replaceable>
-Creates a new keytab file if one doesn't exist with default entries. Default
-entries are kerberos principals created from the machinename of the
-client, the UPN (if it exists) and any Windows SPN(s) associated with the
-computer AD account for the client. If a keytab file already exists then only
-missing kerberos principals from the default entries are added. No changes
-are made to the computer AD account.
+Since Samba 4.21.0, keytab file is created as specified in . The keytab is created only for
+secrets only and
+secrets and keytab. With
+the smb.conf default values for secrets
+only and
+(default is empty) the keytab is not generated at all. Keytab with a default
+name and SPNs synced from AD is created for secrets and keytab if is missing.
+
+
+Till Samba 4.20.0, two more entries were created by default: the machinename of
+the client (ending with '$') and the UPN (host/domain@REALM). If these two
+entries are still needed, each must be specified in an own keytab file.
+Example below will generate three keytab files that contain SPNs synced from
+AD, host UPN and machine$ SPN:
+
+
+
+/etc/krb5.keytab0:sync_spns:machine_password,
+/etc/krb5.keytab1:spns=host/smb.com@SMB.COM:machine_password,
+/etc/krb5.keytab2:account_name:machine_password
+
+
+
+No changes are made to the computer AD account.