Some ancillary wrinkles:

* krb5_sname_to_principal() allows :port suffixes (used by MSSQLSvc principals), but the current fallback processing in get_creds.c does not.

* krb5_get_init_creds_keytab() iterates over the keytab to find the available enctypes so it can put those first in the request, and errors out if it doesn't find any.  This operation does not substitute the default realm for the referral realm like krb5_kt_get_entry() does.

* krb5_sname_to_principal() looks up the realm (in [domain_realm] or a hostrealm plugin module) of the first expanded hostname candidate.  The current fallback processing does not repeat this lookup.  If qualify_shortname is "", the lookup is unlikely to succeed for the local hostname or a short hostname.