issue with preauth processing

[Sam Hartman]

The preauth framework strongly encourages implementations to take
optimistic pre-auth as a hint.
If you try some pre-auth and get a PREAUTH_REQUIRED or PREAUTH_FAILED error, then you should take that as the KDC requesting you start over.
Now, if that second round fails, you should probably give up.

Basically, the question is whether we take that gic option call as an
optimization or security constraint.  Most people who have used it in
the past have been looking for an optimization.