If set then if password authentication through Kerberos fails then the password will be validated via any additional local mechanism such as /etc/passwd or SecurID. Default is ``yes''.