Version 1.30 of pam_krb5: When validating tickets against a local host key, required_tgs used to default to host/<hostname>. It now defaults to "", meaning that both 'validate' and 'required_tgs' must be enabled. The code to build the default is there, its just not supplied to appdefault_string().
This will be fixed in 1.31 and later. Thanks!