Content-Type: text/plain Content-Disposition: inline Content-Transfer-Encoding: binary MIME-Version: 1.0 X-Mailer: MIME-tools 5.411 (Entity 5.404) Subject: keytab code can't match principals with realms not yet determined X-RT-Original-Encoding: iso-8859-1 Content-Length: 597 The new referral support code puts determination of the realm of a service on the KDC. On the client side, in krb5_sname_to_principal, if we don't have explicit data in the config file (or supplied by the application), we leave the realm as an empty string rather than applying unreliable heuristics. However, if the resulting principal name is used to look up an entry in a keytab, rather than as the server name to pass off to a KDC, it will not match any of the entries in the file. Proposed fix: If an empty realm name is given to the keytab-reading code, the default realm is used instead.