If we don't find the service principal in a TGS request, and it looks like a host-based principal, we return a realm referral if we can look up the realm in the KDC's domain_realm configuration. We should not do this if the realm we find is the same as the service realm. Receiving a referral back to the same realm is only going to confuse the client. In the best case, the client will detect this case and fall back to a request without the canonicalize flag (see #4955 and #7016); in the worst case, the client might overwrite its cached local TGT (reportedly true on OS X 10.7).