[krbdev.mit.edu #6473] strip ok-as-delegate if not in cross-realm TGT chain

[Greg Hudson via RT]

A snag: our KDC never returns ok-as-delegate on a cross-realm TGT. 
Luke's code in do_tgs_req.c does:

    is_referral = krb5_is_tgs_principal(server.princ) &&
        !krb5_principal_compare(kdc_context, tgs_server, server.princ);
    [,..]
    if (isflagset(server.attributes, KRB5_KDB_OK_AS_DELEGATE) &&
        !is_referral) {
        /* Ensure that we are not returning a referral */
        setflag(enc_tkt_reply.flags, TKT_FLG_OK_AS_DELEGATE);
    }

I'll ask Luke why he thought that check was appropriate, I guess.