> On May 26, 2017, at 11:44 AM, Viktor Dukhovni <heim...@dukhovni.org> wrote:
> 
> And in particular, "service accounts" (service principals) generally have
> random keys generated by cryptographically strong PRNG.  They are typically
> (on Unix systems) not and should not be "password based".
> 
> Now it is true that in Active Directory various services (SPNs)
> require domain a password for their domain account (there are
> no "keytab" files on Windows).  It is up to the domain administrator
> to configure strong random passwords for such accounts.
> 
> -- 
>       Viktor.

In Heimdal that’s kadmin add —random-key . . .  Don’t use kadmin add 
—random-password unless the (small) number of characters is OK for your 
application.

In MIT it’s kadmin addprinc -randkey.

Now for my question: In Windows it looks like you should be able to do 
something similar with “ktpass /pass +rndpass . . .”, but I’ve never been able 
to get that command accepted. Under what conditions does that option work?


Personal email.  hbh...@oxy.edu



Reply via email to