Version 1.30 of pam_krb5:
When validating tickets against a local host key, required_tgs used to
default to host/<hostname>. It now defaults to "", meaning that both
'validate' and 'required_tgs' must be enabled. The code to build the
default is there, its just not supplied to appdefault_string().
This will be fixed in 1.31 and later. Thanks!