> The former is really easy. The user can authenticate with multiple kerberos
> realms quite easily, just by specifying different ticket caches when using kinit
> (I open a new session and set KRB5CCNAME).
You call that *easy*??
However, IIRC from last I used kerberos, you can actually kinit to multiple realms just fine without
setting random environment variables.