> On May 26, 2017, at 11:44 AM, Viktor Dukhovni <heim...@dukhovni.org> wrote:
> And in particular, "service accounts" (service principals) generally have
> random keys generated by cryptographically strong PRNG. They are typically
> (on Unix systems) not and should not be "password based".
> Now it is true that in Active Directory various services (SPNs)
> require domain a password for their domain account (there are
> no "keytab" files on Windows). It is up to the domain administrator
> to configure strong random passwords for such accounts.
In Heimdal that’s kadmin add —random-key . . . Don’t use kadmin add
—random-password unless the (small) number of characters is OK for your
In MIT it’s kadmin addprinc -randkey.
Now for my question: In Windows it looks like you should be able to do
something similar with “ktpass /pass +rndpass . . .”, but I’ve never been able
to get that command accepted. Under what conditions does that option work?
Personal email. hbh...@oxy.edu