security: improve Kerberos w/o Single Sign-On & SSPI
This only affects setups with libkrb5 compiled in. This only affects
accounts where the user has provided user or login name, password,
selected "Kerberos" and not selected "Single Sign-On".
- connecting to the OCS server will trigger the first Kerberos security
context initiation. This will succeed if the user
* has either set up Kerberos Single Sign-On on the system, or
* has already a valid TGT in the Kerberos credential cache from a
previous SIPE run
- if this attempt fails we try to obtain a TGT using the authentication
information provided by the user. Then we'll retry to acquire the
credentials and initialization of the security context.
- if all of this fails then the SIP connection won't succeed, leading to
an account disconnect
- for all further Kerberos security context initiation attempts we are
guaranteed to have a valid TGT, i.e those should succeed and therefore
we won't allow retry for them.
Improvements to sip_sec_krb5_obtain_tgt():
- fixed memory leaks
- don't blindly initialize the users default credential cache. Only do
this if the first attempt to store our TGT into it fails.