Proposed Behavior change: don't fail when krb5_sname_to_principal cannot canonicalize input

[Tom Yu]

Greg Hudson <ghudson at MIT.EDU> writes:

> I'm not really opposed to this, although one could argue that
> host/foo.searchdomain is a better guess than host/foo in the absence of
> DNS (when foo contains no dots).  But that assumes we can find out the
> search domain (which might be easier than we used to think, but we don't
> have a facility for it at the moment) and begs the question of what
> happens when there are multiple search domains.

Is there any way to securely deal with multiple search domains?