addprinc -randkey broken in 1.7?

Russ Allbery rra at
Wed Sep 16 16:13:13 EDT 2009

"Leonard J. Peirce" <leonard.peirce at> writes:

> When running (in kadmin)

>   addprinc -randkey host/host.domain

> I get a complaint about the password not containing enough character
> classes.  Did I miss something?  Not really a big deal since I can
> just specify a password.

> It used to work in 1.6.

addprinc -randkey hasn't worked for principals that have a password policy
set for somet time for me.  The way -randkey works under the hood is that
it adds the principal disabled with a fixed password (which is indeed
pretty bad except that it's very long), then randomizes the key, and then
enables the principal.

This has other strange artifacts (or at least did -- I don't know if
they've been fixed).  For example, adding a principal with -randkey and
-disallow_all_tix results in an enabled principal, igoring the
-disallow_all_tix option.

Russ Allbery (rra at             <>

More information about the Kerberos mailing list