[krbdev.mit.edu #6821] The +preauth default in kdc.conf isn't always obeyed.
Greg Hudson via RT
rt-comment at krbdev.mit.edu
Wed Nov 17 10:33:13 EST 2010
Prior to 1.8, addprinc -randkey was implemented in three RPCs: create the
principal with a dummy password and the disallow-all-tix flag, randomize
its password, unset the disallow-all-tix flag. This had the unfortunate
side effect of ignoring the KDC's default flags.
There is now a better way (create the principal with a null password),
but clients and servers both have to be at 1.8 for it to work.
More information about the krb5-bugs
mailing list