Content-Type: text/plain
Content-Disposition: inline
Content-Transfer-Encoding: binary
MIME-Version: 1.0
X-Mailer: MIME-tools 5.427 (Entity 5.427)
RT-Send-CC:
X-RT-Original-Encoding: iso-8859-1
Content-Length: 1345

This error occurs because of the composition of full_svcname in 
gic_iter().  Fixing it is more complicated than I had hoped.

Although a full service name is not needed for 
krb5_get_init_creds_password or krb5_get_init_creds_keytab, we do need 
the service name for two other purposes: (1) the INIT_CREDS case of 
gic_iter, where we check whether a cred exists in the ccache for the 
service, (2) to import as a GSS name for 
authgss_create/auth_gssapi_create().  For the second case we ideally 
want it in string form, although we could use gss_krb5_nt_principal 
(normally discouraged) to import a principal directly.

Checking whether the supplied name has a realm part is tricky because 
'@' characters can be escaped.  We could parse it with 
KRB5_PRINCIPAL_PARSE_IGNORE_REALM and then remove the realm; this would 
work best if we pass the realm around internally as an allocated 
krb5_principal object rather than a string within a fixed-length buffer 
as we currently do.

(Side question I haven't fully explored: we have two cases for filling 
in the realm of the server name, one if params_in had a specified realm 
and another where we use the realm of the client principal.  A specified 
realm which is different from the client realm could only conceivably 
work with INIT_CREDS.  Perhaps this can be simplified down to one case.)