multiple realm membership

[Randy Turner]

Hello,

I was wondering if the following use-case for Kerberos is valid:

I have a host that wants to be a member of multiple realms  
simultaneously.

When a host boots, it will obtain TG tickets from all ticket-granting  
servers that it is configured to know about. Essentially logging into  
to all realms for which the host has valid credentials

This is all that has to be done if the host has no kerberized  
services that it wants to offer. At this point, if there is a client  
application on the host that wants to connect to a remote service in  
one of the realms, it selects the right TGT to use and obtains a  
ticket from the KDC/TGS that is associated with the target realm.

If a host wants to offer kerberized services to potential clients,  
these clients could be attempt to access the services from any of the  
realms for which the host is a member. I'm assuming this means the  
host would have to keep <n> keytabs that are sync'd with the KDC from  
each realm. Also, if a remote client sends a service ticket  
requesting access to a service, the host needs to know from what  
realm the request is coming from in order to select the right keytab  
to decrypt the ticket. Is there unencrypted portions of the ticket  
that can be used to find out from what realm the request is coming  
from ?

I guess I'm curious if there are precedents for having a host  
maintaining simultaneous connectivity to multiple realms and have a  
set of username/password credentials for each of these realms?

I'm curious if MIT-Kerberos even supports this type of scenario?

Thanks in advance for any insight into this use case?
Randy