* Ensure we're compliant with the PAM docs wrt return values.  It's not the
  RFC, but it's something.
* Make use of krb5_verify_init_creds() contingent on an autoconf check,
  instead of hard-coding our preference of it over the internal validate_tgt()
  function (for older versions of krb5).