Content-Type: text/plain Content-Disposition: inline Content-Transfer-Encoding: binary MIME-Version: 1.0 X-Mailer: MIME-tools 5.427 (Entity 5.427) RT-Send-CC: X-RT-Original-Encoding: iso-8859-1 Content-Length: 733 This is a known problem, although I don't seem to have created a ticket for it. It's a pretty serious impediment to using anonymous tickets, which is unfortunate. Basically, you can contact a target service if its realm is known and is the same as the realm where the client got anonymous tickets; if the service realm is unknown or is a foreign realm, get_creds tries to start with a TGT for WELLKNOWN:ANONYMOUS and fails. An outline of the solution is at http://k5wiki.kerberos.org/wiki/Projects/StartRealmCCconfig, but we haven't implemented it yet. A possible workaround for local-realm use is to configure a [domain_realm] on the client so that it doesn't try to use the referral realm for host-based service names.