r21500: Fix inappropriate creation of a krb5 ticket refreshing event when a user

r21500: Fix inappropriate creation of a krb5 ticket refreshing event when a user
changed a password via pam_chauthtok. Only do this if

a) a user logs on using an expired password (or a password that needs to
be changed immediately) or

b) the user itself changes his password.

Also make sure to delete the in-memory krb5 credential cache (when a
user did not request a FILE based cred cache).

Finally honor the krb5 settings in the first pam authentication in the
chauthtok block (PAM_PRELIM_CHECK). This circumvents confusion when
NTLM samlogon authentication is still possible with the old password after
the password has been already changed (on w2k3 sp1 dcs).

Guenther
(This used to be commit c3005c48cd86bc1dd17fab80da05c2d34071b872)