Confused about verify_ap_req_nofail

[John Godehn <godehn@email.unc.edu>]

Hello, I am confused about verify_ap_req_nofail option. From the krb5.conf
man page:

verify_ap_req_nofail = boolean
                       Enable to make a failure to verify obtained creden-
                       tials non-fatal. This can be useful if there is no
                       keytab on a host.

So from this, I would assume that if I had a line in my /etc/krb5.conf
that looked like:

[libdefaults]
	verify_ap_req_nofail = true

Then functions such as krb5_verify_user_lrealm would not fail if there
was no keytab on the host. But when I tried it out, I found it to have
different behavior. When I had this line in the krb5.conf,
krb5_verify_user_lrealm always fails, even if the secure parameter of
krb5_verify_user_lrealm is set to FALSE. Am I misunderstanding how
verify_ap_req_nofail is supposed to work? Am I doning something else
wrong? If not, then it would seem as though the problem would come from
the fail_verify_is_ok function, since if verify_ap_req_nofail is set to
true in the /etc/krb5.conf, it will return FALSE. In fact, the only
time it will return true is if secure=FALSE and verify_ap_req_nofail is
either nonpresent or set to false in /etc/krb5.conf.

In any event, I would like to code an application to use
krb5_verify_user_lrealm to be called with secure=TRUE so that by
default the creds are verified against a keytab, but then let system
administrators override that if they have no keytab (so that the
application still works).

Thanks,

John