> On May 26, 2017, at 11:44 AM, Viktor Dukhovni <heim...@dukhovni.org> wrote: > > And in particular, "service accounts" (service principals) generally have > random keys generated by cryptographically strong PRNG. They are typically > (on Unix systems) not and should not be "password based". > > Now it is true that in Active Directory various services (SPNs) > require domain a password for their domain account (there are > no "keytab" files on Windows). It is up to the domain administrator > to configure strong random passwords for such accounts. > > -- > Viktor.
In Heimdal that’s kadmin add —random-key . . . Don’t use kadmin add —random-password unless the (small) number of characters is OK for your application. In MIT it’s kadmin addprinc -randkey. Now for my question: In Windows it looks like you should be able to do something similar with “ktpass /pass +rndpass . . .”, but I’ve never been able to get that command accepted. Under what conditions does that option work? Personal email. hbh...@oxy.edu