create krb5 context without config files

[Nico Williams]

It would be nice if the libraries could work with zero configuration.
It should be doable.

KDCs can be found via DNS.

[capaths] is mostly not needed on client sides, and if the KDC sets
the transit-policy-checked bit on tickets then it's also not needed on
servers (or if hierarchical transit paths are used).  (Obviously
servers can't be entirely zero-conf: they need keytabs, or TGTs for
user-to-user, but still, not needing a krb5.conf is nice.)

Default realm is only needed in some cases.  It should either be
derived from the host's domainname, from the default ccache's default
principal's realm or left unset.

If a user kinits without a realm name then kinit should either fail in
zero-conf more or it should insist on DNSSEC for discovery of a
default realm or it should trust the host's fqdn or it should ask the
user to confirm the realm.

Zero-conf aname2lname is a bit of an oxymoron, so zero-conf -> no
aname2lname, IMO.

Zero-conf / minimal-conf Kerberos is clearly feasible, and there's
value in it.  IMO it should be done.  (The Solaris Kerberos team put
some effort into it, BTW.)

Nico
--