By default, Kerberos checks that the KDC of the host principal that is stored in the local /etc/krb5/krb5.keytab file is the same KDC that issued the ticket-granting ticket (TGT). This check, verify_ap_req_nofail, prevents DNS spoofing attacks.
However, this check must be disabled for client configurations where the host principal is unavailable. The following configurations require this check to be disabled:
The client IP address is dynamically assigned, for example, a DHCP client.
The client is not configured to host any services, so no host principal was created.
The host key is not stored on the client.
To disable TGT verification, set the –verify_ap_req_nofail option to false in the krb5.conf file. The –verify_ap_req_nofail option can be entered in either the [libdefaults] or the [realms] section of the krb5.conf file. In the [libdefaults] section, the setting is used for all realms:
client # pfedit /etc/krb5/krb5.conf [libdefaults] default_realm = EXAMPLE.COM verify_ap_req_nofail = false ...
If the option is in the [realms] section, the setting applies only to the defined realm. For more information about this option, see the krb5.conf(5) man page.