Automatic cross realm tickets based on (cross)forest/domain routing table e.g. for cifs/dc.otherdomain.com@MYDOMAIN.COM should only be done based on the msDS-TrustForestTrustInfo values. Without msDS-TrustForestTrustInfo or for external trusts the KDC should return PRINCIPAL_UNKNOWN. The client can still explicitly ask for the cross-realm TGT, e.g. krbtgt/OTHERDOMAIN.COM@MYDOMAIN.COM. Windows clients seem to use the trust information they got from netr_LogonGetDomainInfo if and how they should construct a possible initial target principal name. This also effects our client side code, I'll open a separate bug for that.