The existing implementation of GSS_C_DELEG_POLICY_FLAG does not examine cross-realm tickets leading to the service ticket. Implement Heimdal's solution of stripping ok-as-delegate flags inside get_creds if an intervening cross-realm TGT lacks it.