> So I think my preferred solution for this scenario is to change
> get_cred.c not to cache answers it didn't ask for.

This makes sense to me, and it also (I think) solves another problem I’ve run into that I’ve dubbed “ccache poisoining.” If a client receives an inaccurate referral and caches it, the cached referral can prevent the client from following an available successful path for a different service ticket later on. Of course, the incorrect referral is the root  problem, but these things happen in complex multi-platform/realm arrangements, so it’s nice to contain the breakage.

-- 
   Richard