Go to main content

Managing Kerberos in Oracle® Solaris 11.4

Exit Print View

Updated: August 2020

Verifying Kerberos Clients Without a Host Principal

By default, Kerberos checks that the KDC of the host principal that is stored in the local /etc/krb5/krb5.keytab file is the same KDC that issued the ticket-granting ticket (TGT). This check, verify_ap_req_nofail, prevents DNS spoofing attacks.

    However, this check must be disabled for client configurations where the host principal is unavailable. The following configurations require this check to be disabled:

  • The client IP address is dynamically assigned, for example, a DHCP client.

  • The client is not configured to host any services, so no host principal was created.

  • The host key is not stored on the client.

To disable TGT verification, set the –verify_ap_req_nofail option to false in the krb5.conf file. The –verify_ap_req_nofail option can be entered in either the [libdefaults] or the [realms] section of the krb5.conf file. In the [libdefaults] section, the setting is used for all realms:

client # pfedit /etc/krb5/krb5.conf
default_realm = EXAMPLE.COM
verify_ap_req_nofail = false

If the option is in the [realms] section, the setting applies only to the defined realm. For more information about this option, see the krb5.conf(5) man page.