Change krb5_get_credentials() endtime behavior

Change krb5_get_credentials() endtime behavior

Historically, krb5_get_credentials() uses in_creds->times.endtime both
as the TGS request endtime and as a cache lookup criterion.  These
uses are in conflict; setting a TGS request endtime can only serve to
limit the maximum lifetime of the issued ticket, while a cache lookup
endtime restricts the minimum lifetime of an acceptable cached ticket.
The likely outcome is to never use a cached ticket, leading to poor
performance as we add an entry to the cache for each request.

Change to the Heimdal behavior of using in_creds->times.endtime only
as the TGS request endtime.

ticket: 9132 (new)