From 8b18192879ce39d3eeac0876f6eaf565a800e3d9 Mon Sep 17 00:00:00 2001
From: Johan Danielsson <joda@pdc.kth.se>
Date: Tue, 20 Aug 2002 14:53:03 +0000
Subject: [PATCH] correct documentation for verify_ap_req_nofail

git-svn-id: svn://svn.h5l.se/heimdal/trunk/heimdal@11167 ec53bebd-3082-4978-b11e-865c3cabbd6b
---
 lib/krb5/krb5.conf.5 | 7 +++++--
 1 file changed, 5 insertions(+), 2 deletions(-)

diff --git a/lib/krb5/krb5.conf.5 b/lib/krb5/krb5.conf.5
index 6903d1683..622be5aa4 100644
--- a/lib/krb5/krb5.conf.5
+++ b/lib/krb5/krb5.conf.5
@@ -133,8 +133,11 @@ This option is also valid in the [realms] section.
 When obtaining initial credentials, make the credentials proxiable.
 This option is also valid in the [realms] section.
 .It Li verify_ap_req_nofail = Va boolean
-Enable to make a failure to verify obtained credentials
-non-fatal. This can be useful if there is no keytab on a host.
+If enabled, failure to verify credentials against a local key is a
+fatal error. The application has to be able to read the corresponding
+service key for this to work. Some applications, like
+.Xr su 8 ,
+enable this option unconditionally.
 .It Li warn_pwexpire = Va time
 How soon to warn for expiring password. Default is seven days.
 .It Li http_proxy = Va proxy-spec