Content-Type: text/plain
Content-Disposition: inline
Content-Transfer-Encoding: binary
MIME-Version: 1.0
X-Mailer: MIME-tools 5.427 (Entity 5.427)
Subject: getting cross-realm TGTs makes inefficient use of the credentials
 cache
X-RT-Original-Encoding: iso-8859-1
Content-Length: 502

in src/lib/krb5/krb/get_creds.c:begin_get_tgt(), we first check if there is a cached copy of the 
desired foreign TGT.  If not, we fall back to getting the local TGT and walking the full capath 
starting from the local realm, ignoring any cached intermediate TGTs if the capath is nontrivial.

Since the windows LSA cache denies access to the session key for cross-realm TGTs as well as 
local TGTs, fixing this issue is unlikely to cause any behavior change, so it remains just a slight 
inefficiency.