Hello Greg,

> I think my real point is that while finding the krb realm for a given
> domain (e.g. a hostname) is messy, auth2 isn't really all that
> different.  (And we are talking auth2 for now, really, rather than
> kerberos.)

is it not our goal, to find _the_ Kerberos realm for a Coda realm,
there could be several ones, in a perfectly useful setup.

> I agree that if you want different services on a host to be in
> different kerberos realms, that's much messier.  But that's an
> existing kerberos problem, and again not coda specific.

It is not messy to run services communicating with several different realms.
Not at all. Just forget that the host would "belong" to some realm.
Do not ever rely on /etc/krb5.conf, give each application a separate one.
Not messy per se, it is just Kerberos configuration model
and tradition that hinders thinking in the right direction.

> problem is avoided by declaring that they all match.

With other words, "declare that using more than one Kerberos database
is impossible". Even then you would have hard time in some cases
(like collision between a host name and a realm name or lacking
DNS records).

Why import those limitations and problems into Coda?
It would be just [ab]use of a knowingly broken tool.

See you!
--
Ivan