* krb5_sname_to_principal() allows :port suffixes (used by MSSQLSvc
principals), but the current fallback processing in get_creds.c does not.
* krb5_get_init_creds_keytab() iterates over the keytab to find the available
enctypes so it can put those first in the request, and errors out if it doesn't
find any. This operation does not substitute the default realm for the referral
realm like krb5_kt_get_entry() does.
* krb5_sname_to_principal() looks up the realm (in [domain_realm] or a
hostrealm plugin module) of the first expanded hostname candidate. The current
fallback processing does not repeat this lookup. If qualify_shortname is "",
the lookup is unlikely to succeed for the local hostname or a short hostname.