At login, a client uses the pam_krb5 module to verify that the KDC that issued the latest TGT is the same KDC that issued the client host principal that is stored in the /etc/krb5/krb5.keytab file. The pam_krb5 module verifies the KDC when the module is configured in the authentication stack. For some configurations, such as DHCP clients that do not store a client host principal, this check needs to be disabled. To turn off this check, you must set the –verify_ap_req_nofail option in the krb5.conf file to false. For more information, see Disabling Verification of the Ticket-Granting Ticket.