In ksu, without the -e flag, also check .k5users

In ksu, without the -e flag, also check .k5users

When ksu was explicitly told to spawn a shell, a line in .k5users which
listed "*" as the allowed command would cause the principal named on the
line to be considered as a candidate for authentication.

When ksu was not passed a command to run, which implicitly meant that
the invoking user wanted to run the target user's login shell, knowledge
that the principal was a valid candidate was ignored, which could cause
a less optimal choice of the default target principal.

This doesn't impact the authorization checks which we perform later.

ticket: 7983 (new)