In the presence of aliases, LDAP iteration was supplying the first principal it found within the expected realm, which is not necessarily the same as the canonical name. If the entry has a canonical name field, use that in preference to any of the principal names. https://github.com/krb5/krb5/commit/2a7f20f7b92263cb3c67580c4bf40f7bf3deeb5b Commit By: ghudson Revision: 22710 Changed Files: U trunk/src/plugins/kdb/ldap/libkdb_ldap/ldap_principal.c