diff --git a/lib/krb5/test_ap-req.c b/lib/krb5/test_ap-req.c
index dcdddb814..c3aaef360 100644
--- a/lib/krb5/test_ap-req.c
+++ b/lib/krb5/test_ap-req.c
@@ -39,7 +39,7 @@
 #include <getarg.h>
 #include <roken.h>
 
-static int verify_pac = 0;
+static int verify_pac = 1;
 static int server_any = 0;
 static int version_flag = 0;
 static int help_flag	= 0;
diff --git a/tests/kdc/check-kdc.in b/tests/kdc/check-kdc.in
index 83e717d54..d49701bcf 100644
--- a/tests/kdc/check-kdc.in
+++ b/tests/kdc/check-kdc.in
@@ -506,7 +506,7 @@ ${kinit} -n --password-file=${objdir}/foopassword foo@$R || \
 for a in $enctypes; do
 	echo "Getting tickets ($a)"; > messages.log
 	${kgetcred} -e $a ${server}@${R} || { ec=1 ; eval "${testfailed}"; }
-	${test_ap_req} ${server}@${R} ${keytab} ${cache} || \
+	${test_ap_req} --no-verify-pac ${server}@${R} ${keytab} ${cache} || \
 		{ ec=1 ; eval "${testfailed}"; }
 	${kdestroy} --credential=${server}@${R}
 done
diff --git a/tests/plugin/check-pac.in b/tests/plugin/check-pac.in
index 13c2d8d3a..5e43b2593 100644
--- a/tests/plugin/check-pac.in
+++ b/tests/plugin/check-pac.in
@@ -134,6 +134,12 @@ ${kgetcred} ${server}@${R} || { ec=1 ; eval "${testfailed}"; }
 echo "Verify PAC on server (no pac)"; > messages.log
 ${test_apreq} --verify-pac ${server}@${R} ${keytab} ${cache} 2> /dev/null && \
 	{ ec=1 ; eval "${testfailed}"; }
+
+# now that verify-pac is the default, also verify that --no-verify-pac works
+${test_apreq} ${server}@${R} ${keytab} ${cache} 2> /dev/null && \
+	{ ec=1 ; eval "${testfailed}"; }
+${test_apreq} --no-verify-pac ${server}@${R} ${keytab} ${cache} 2> /dev/null || \
+	{ ec=1 ; eval "${testfailed}"; }
 ${kdestroy}