I don't like this solution because it incorrectly tracks the behavior where the user changes credentials either in kerberos.app or by running kinit. Why did you reject the proposed solution of getting new default credentials on every call?