System Administration Guide: Security Services

ProcedureHow to Disable Verification of the Ticket Granting Ticket (TGT)

This procedure disables the security check that checks that the KDC of the host principal stored in the local /etc/krb5/krb5.keytab file is the same KDC that issued the Ticket Granting Ticket. This check prevents DNS spoofing attacks. However, for some client configurations, the host principal may not be available, so this check would need to be disabled to allow the client to function. These are the configurations that require that this check is disabled:

  1. Become superuser.

  2. Change the krb5.conf file.

    If the verify_ap_req_nofail option is set to false, the TGT verification process is not enabled. See the krb5.conf(4) man page for more information about this option.

    client # cat /etc/krb5/krb5.conf
            default_realm = EXAMPLE.COM
            verify_ap_req_nofail = false

    Note –

    The verify_ap_req_nofail option can be entered in either the [libdefaults] or the [realms] section of the krb5.conf file. If the option is in the [libdefaults]section, the setting is used for all realms. If the option is in the [realms]section, the setting only applies to the defined realm.