diff --git a/continuousintegration/docker/ctafrontend/cc7/opt/run/bin/ctaeos-mgm.sh b/continuousintegration/docker/ctafrontend/cc7/opt/run/bin/ctaeos-mgm.sh
index 3482772919a1b995016b1b62e9cf77954af7a8c0..fdbf88b7c3bd2227e3567b4dbb3f04bb29b0b8c2 100755
--- a/continuousintegration/docker/ctafrontend/cc7/opt/run/bin/ctaeos-mgm.sh
+++ b/continuousintegration/docker/ctafrontend/cc7/opt/run/bin/ctaeos-mgm.sh
@@ -71,9 +71,6 @@ echo "mgmofs.tapeenabled true"  >> /etc/xrd.cf.mgm
 # Add configmap based configuration (initially Namespace)
 test -f /etc/config/eos/xrd.cf.mgm && cat /etc/config/eos/xrd.cf.mgm >> /etc/xrd.cf.mgm
 
-# quarkDB only for systemd initially...
-cat /etc/config/eos/xrd.cf.mgm | grep mgmofs.nslib | grep -qi eosnsquarkdb && /opt/run/bin/start_quarkdb.sh
-
 # prepare eos startup
   # skip systemd for eos initscripts
     export SYSTEMCTL_SKIP_REDIRECT=1
@@ -91,6 +88,9 @@ echo -n '0 u:daemon g:daemon n:ctaeos+ N:6361884315374059521 c:1481241620 e:0 f:
   touch   /var/eos/config/${eoshost}/default.eoscf
     chown daemon:daemon /var/eos/config/${eoshost}/default.eoscf
 
+# quarkDB only for systemd initially...
+cat /etc/config/eos/xrd.cf.mgm | grep mgmofs.nslib | grep -qi eosnsquarkdb && /opt/run/bin/start_quarkdb.sh
+
 # add taped SSS must be in a kubernetes secret
 #echo >> /etc/eos.keytab
 #echo '0 u:stage g:tape n:taped+ N:6361736405290319874 c:1481207182 e:0 f:0 k:8e2335f24cf8c7d043b65b3b47758860cbad6691f5775ebd211b5807e1a6ec84' >> /etc/eos.keytab
diff --git a/continuousintegration/docker/ctafrontend/cc7/opt/run/bin/start_quarkdb.sh b/continuousintegration/docker/ctafrontend/cc7/opt/run/bin/start_quarkdb.sh
index 2c9d873a04e943f20f15e1349bf6f15d66999fef..765d2ccac7cc8b3138ffc8dff78464e054bcf4e2 100755
--- a/continuousintegration/docker/ctafrontend/cc7/opt/run/bin/start_quarkdb.sh
+++ b/continuousintegration/docker/ctafrontend/cc7/opt/run/bin/start_quarkdb.sh
@@ -25,6 +25,13 @@ chown -R xrootd:xrootd ${QUARKDB_DIRECTORY}
 
 cp -f ${QUARKDB_CONFIG} /etc/xrootd/xrootd-quarkdb.cfg
 
+# quarkdb is starting as xrootd user and mgm as daemon
+# the password file must be 400 for each service...
+# for now copy and chown, later run quarkdb as daemon and use /etc/eos.keytab for both
+cp /etc/eos.keytab /etc/eos.keytab.xrootd
+chmod 400 /etc/eos.keytab.xrootd
+chown xrootd:xrootd /etc/eos.keytab.xrootd
+
 systemctl start xrootd@quarkdb
 
 systemctl status xrootd@quarkdb
diff --git a/continuousintegration/orchestration/eos-config-quarkdb.yaml b/continuousintegration/orchestration/eos-config-quarkdb.yaml
index d393a55a8f8fde991d5777959ad77f40a321b839..68d7aae739d6111b953c9e59f25dabad7a00fa7e 100644
--- a/continuousintegration/orchestration/eos-config-quarkdb.yaml
+++ b/continuousintegration/orchestration/eos-config-quarkdb.yaml
@@ -8,8 +8,11 @@ data:
   xrd.cf.mgm: |
     mgmofs.nslib /usr/lib64/libEosNsQuarkdb.so
     mgmofs.qdbcluster localhost:7777
+    mgmofs.qdbpassword_file  /etc/eos.keytab
+
   xrootd-quarkdb.cfg: |
     xrd.port 7777
     xrd.protocol redis:7777 /usr/lib64/libXrdQuarkDB.so
     redis.mode standalone
     redis.database /var/lib/quarkdb/quarkdb1
+    redis.password_file  /etc/eos.keytab.xrootd