On Fri May 24 01:37:41 2019, jaltman@secure-endpoints.com wrote:

gss-krb5 when passed a two component acceptor name passes the second component to getaddrinfo() to canonicalize it.   While it is often the case that the second component of a service name is a hostname, it is not always a hostname.

Apologies for letting this sit for a year and then coming back with an argument, but: does it make sense to use GSS_C_NT_HOSTBASED_SERVICE when the second part of the name isn't a hostname?  RFC 2743 section 4.1 is pretty clear that the second part is a hostname.  Would it be better to import using GSS_KRB5_NT_PRINCIPAL_NAME?