If we don't find the service principal in a TGS request, and it looks 
like a host-based principal, we return a realm referral if we can look up 
the realm in the KDC's domain_realm configuration.

We should not do this if the realm we find is the same as the service 
realm.  Receiving a referral back to the same realm is only going to 
confuse the client.  In the best case, the client will detect this case 
and fall back to a request without the canonicalize flag (see #4955 and 
#7016); in the worst case, the client might overwrite its cached local 
TGT (reportedly true on OS X 10.7).