Content-Type: text/plain
Content-Disposition: inline
Content-Transfer-Encoding: binary
MIME-Version: 1.0
X-Mailer: MIME-tools 5.427 (Entity 5.427)
Subject: KDC can return host referral to its own realm
X-RT-Original-Encoding: iso-8859-1
Content-Length: 593

If we don't find the service principal in a TGS request, and it looks 
like a host-based principal, we return a realm referral if we can look up 
the realm in the KDC's domain_realm configuration.

We should not do this if the realm we find is the same as the service 
realm.  Receiving a referral back to the same realm is only going to 
confuse the client.  In the best case, the client will detect this case 
and fall back to a request without the canonicalize flag (see #4955 and 
#7016); in the worst case, the client might overwrite its cached local 
TGT (reportedly true on OS X 10.7).