Prior to 1.8, addprinc -randkey was implemented in three RPCs: create the 
principal with a dummy password and the disallow-all-tix flag, randomize 
its password, unset the disallow-all-tix flag.  This had the unfortunate 
side effect of ignoring the KDC's default flags.

There is now a better way (create the principal with a null password), 
but clients and servers both have to be at 1.8 for it to work.