On Wed, 17 Nov 2010, Greg Hudson via RT wrote: > From: Greg Hudson via RT > To: D.H.Davis@bath.ac.uk > Date: Wed, 17 Nov 2010 15:33:13 > Subject: [krbdev.mit.edu #6821] The +preauth default in kdc.conf isn't always > obeyed. > > Prior to 1.8, addprinc -randkey was implemented in three > RPCs: create the principal with a dummy password and the > disallow-all-tix flag, randomize its password, unset the > disallow-all-tix flag. This had the unfortunate side effect of > ignoring the KDC's default flags. > > There is now a better way (create the principal with a null > password), but clients and servers both have to be at 1.8 for it > to work. Thanks for the very prompt reply. I wondered if something like this was happening when I noticed -randkey with 1.6.3 and 1.7.1 kadmin produced principals with a Key vno of 2, whereas -randkey with a 1.8.x kadmin produced principals with a Key vno of 1. I note you're using RT so please flag this ticket as closed, if you haven't done so already. It would be unreasonable to expect the improved interface to be back-ported to earlier versions of kerberos. (This arose because I've recently switched to using the +preauth default for all principals associated with humanoids. Easily done by making it the default in kdc.conf. Typically I, and I suspect others, use -randkey when generating host and service based principals. So I was expecting to have to turn off preauth on such principals as I'm not quite ready to go there yet. I was puzzled when I didn't have to turn off +preauth with a production KDC running 1.6.3. It had already been done for me!) -- Dennis Davis, BUCS, University of Bath, Bath, BA2 7AY, UK D.H.Davis@bath.ac.uk Phone: +44 1225 386101