[krbdev.mit.edu #7356] GSSAPI constrained delegation fails with default initiator cred

[Greg Hudson via RT]

An application performs GSSAPI constrained delegation by acquiring a 
GSS_C_BOTH credential, using it as the acceptor_cred_handle for 
gss_accept_sec_context, then using the resulting delegated_cred_handle 
with gss_init_sec_context.

This process works if the acceptor credential has resolved its ccache 
(which results if the credential was acquired with a specified name, for 
instance).  But if that hasn't happened yet, kg_compose_deleg_cred() 
rejects the acceptor credential as an impersonator_cred because 
kg_is_initiator_cred() returns false.

Something in the code path needs to resolve the initiator half of the 
verifier cred.  The simplest fix is to make kg_accept_krb5() use 
kg_cred_resolve() instead of krb5_gss_validate_cred().  That fix would 
cause ccache resolution to happen in cases where it isn't required (the 
caller might not have asked for a delegated credential, or the client 
might not have supplied a forwardable ticket), but that's probably okay.