Comment 3 for bug 1777776

I don't know why krb5_validate is false by default. I thought it was historical or to (dubiously) to make setting up easier, but I did some tests and found, to my surprise, that even with it not set, I could not log in without an /etc/krb5.keytab file.

In particular, I tried all 6 combinations of krb5_validate {set or not set} and /etc/krb5.keytab being { empty, valid, valid but for a different kdc }. I found that I could never log in without some /etc/krb5.keytab. With a valid (but inconsistent with the actual responding kerberos server) key, it required the flag be not set in order to log in (this is the scenario for an attacker). With the correct /etc/krb5.keytab you could log in regardless of krb5_validate.

So it sounds as if sssd overrides verify_ap_req_nofail to true even if krb5_validate is false, which is surprising.

So the only breaking case I see of having krb5_validate default on would be if the system has an /etc/krb5.conf from a different kerberos system, which seems unlikely.