When sign_authdata is called there is no indication of what kind of request it is being called for. I am currently checking the KRB5_KDB_FLAG_CLIENT_REFERRALS_ONLY flag in order to infer if the original request was an as request or a tgs request. It would be nicer to have this datum passed in as an argument instead.