[krbdev.mit.edu #8574] Client keytab does not refresh tickets in gss_init_sec_context()

[Greg Hudson via RT]

The GSS krb5 client keytab facility has logic to refresh a ticket 
cache after it is halfway to expired.  This logic only applies at 
gss_acquire_cred() time, not at gss_init_sec_context() time.  
Therefore, if an application acquires a credential and uses it for 
gss_init_sec_context() calls across a long period of time, the 
credential will eventually expire and we will not refresh it.

A workaround is for the application to pass GSS_C_NO_CREDENTIAL to 
gss_init_sec_context() (so that a default credential is implicitly 
acquired each time), or acquire a credential each time.

Whether this is a bug is arguable.  In the GSSAPI model, an 
application isn't supposed to expect a credential to last forever, and 
in fact there are facilities to query the credential lifetime.  But in 
our mechanism, there is also no guarantee that the lifetime remains 
constant (as another application could refresh the ccache), so there 
is no real reason why we shouldn't do better.

(This issue is related to but separate from #7976, where the refresh 
logic does not apply if the credential cache was manually populated.)