Let the coda-principal, allowing users to acces servers in a specified 
  CODA.REALM, be coda/<CODA.REALM>.

For kerberos realm, I'd say in KRB.REALM obtained by using the normal
kerberos config mechanisms to find the KRB.REALM which corresponds to
the 'host' CODA.REALM.   I don't see that contacting coda servers is
really any different than any other service.   There may be a
requirement that all servers have to be in the same realm, or not.
But I think here we are talking about auth2, not kerberos, and there
tend to be fewer of those servers.

-- 
        Greg Troxel <gdt_at_ir.bbn.com>