krb5_get_cred_via_tkt() explicitly checks that the requested server
principal name is identical to the returned server principal name. This
prevents the cross-realm KDC referral logic in get_cred_from_kdc() from
working. There should be a way to relax this check, perhaps
substituting a check that the cleartext and encrypted server principal
names are identical.
principal name is identical to the returned server principal name. This
prevents the cross-realm KDC referral logic in get_cred_from_kdc() from
working. There should be a way to relax this check, perhaps
substituting a check that the cleartext and encrypted server principal
names are identical.