The following parts of the code need to be modified to always use the 
correct realm:

* kprop.c:get_tickets(), which currently uses sn2princ on the local 
hostname, and substitutes the default realm (not the -r realm value) 
if it gets back the referral realm.  That function also uses sn2princ 
on the server hostname, but ignores the realm as it is making an AS 
request.

* kpropd.c:do_iprop(), which currently uses krb5_get_default_realm() 
to look up the master service principal, ignoring the -r realm value.  
It also uses sn2princ on the local hostname, substituting the default 
realm (again, not the -r realm value) if it gets back the referral 
realm.

* kpropd.c:parse_args(), which currently uses sn2princ on the local 
hostname, and substitutes the -r realm value if given.  If it gets 
back the referral realm and no -r realm value is given, the server 
principal will have no realm.

We are adding krb5_expand_hostname() from Heimdal, but (a) the 
initial solution to this bug should probably not use a new API so 
that it can be backported, and (b) we really want an sn2princ-like 
API for most of these parts of the code, just not with the realm 
lookup.