Review ofhttp://k5wiki.kerberos.org/wiki/Projects/PAC_and_principal_APIs ending January 10

[Sam Hartman]

Luke, even the KDC may not have the same default_realm as the realm it
serves.  First, in various ways KDCs can serve multiple realms.
Secondly, it's nice to share a krb5.conf between a KDC and a client;
I've run into cases where a machine was a KDC in one realm but I want
kinit to default to another.

In the PAC case, is the goal that the principal be short if the client
and server are in the same realm?  You could perhaps clone a context, set the default realm of that context and use unparse_short.