Content-Type: text/plain Content-Disposition: inline Content-Transfer-Encoding: binary MIME-Version: 1.0 X-Mailer: MIME-tools 5.411 (Entity 5.404) X-RT-Original-Encoding: iso-8859-1 Content-Length: 365 krb5_get_cred_via_tkt() explicitly checks that the requested server principal name is identical to the returned server principal name. This prevents the cross-realm KDC referral logic in get_cred_from_kdc() from working. There should be a way to relax this check, perhaps substituting a check that the cleartext and encrypted server principal names are identical.