Hi,
after some discussion with Greg Hudson I realized that AD does not
canonicalize enterprise principals by default, as a MIT KDC does, but
explicitly needs the canonicalize flag to be set. With this fix the ugly
user\@SOME.REALM(a)OTHER.REALM principals in the credential cache should
go away.
bye,
Sumit