Comment 2 for bug 1777776

And, is sssd's krb5_validate option overriding krb5 library's verify_ap_req_nofail?

If this flag is true, then an attempt to verify initial credentials will fail if the client machine does not have a keytab. The default value is false.