This is a known problem, although I don't seem to have created a ticket 
for it.  It's a pretty serious impediment to using anonymous tickets, 
which is unfortunate.  Basically, you can contact a target service if its 
realm is known and is the same as the realm where the client got 
anonymous tickets; if the service realm is unknown or is a foreign realm, 
get_creds tries to start with a TGT for WELLKNOWN:ANONYMOUS and fails.

An outline of the solution is at 
http://k5wiki.kerberos.org/wiki/Projects/StartRealmCCconfig, but we 
haven't implemented it yet.

A possible workaround for local-realm use is to configure a 
[domain_realm] on the client so that it doesn't try to use the referral 
realm for host-based service names.