>>>>> "Tom" == Tom Yu via RT <rt-comment@krbdev.mit.edu> writes:

    Tom> The existing implementation of GSS_C_DELEG_POLICY_FLAG does
    Tom> not examine cross-realm tickets leading to the service
    Tom> ticket.  Implement Heimdal's solution of stripping
    Tom> ok-as-delegate flags inside get_creds if an intervening
    Tom> cross-realm TGT lacks it.

I think this is definitely a good long-term solution.