Plugin raises CCacheError error when TGT has expired

[tiran]

It looks like GSSAPI does not auto-refresh a TGT with client keytab when the TGT is expired:

2017-04-13 13:38:12 - custodia                         - Custodia debug logger enabled
2017-04-13 13:38:12 - custodia                         - Custodia audit log: /tmp/audit.log
2017-04-13 13:38:12 - custodia                         - Config file <closed file 'custodia.conf', mode 'r' at 0x7f025fc29660> loaded
2017-04-13 13:38:13 - IPAInterface-[auth:ipa]          - Unable to get principal from GSSAPI. Are you missing a TGT or valid Kerberos keytab?
Traceback (most recent call last):
  File "/tmp/venv/bin/custodia", line 11, in <module>
    sys.exit(main())
  File "/tmp/venv/lib/python2.7/site-packages/custodia/server/__init__.py", line 211, in main
    _load_plugins(config, cfgparser)
  File "/tmp/venv/lib/python2.7/site-packages/custodia/server/__init__.py", line 191, in _load_plugins
    raise RuntimeError(menu, name, e)
RuntimeError: ('authenticators', 'ipa', CCacheError(u'Major (720896): The referenced credential has expired, Minor (100001): Success',))

$ klist
Ticket cache: FILE:/tmp/ccache
Default principal: custodia/client1.ipa.example@IPA.EXAMPLE

Valid starting       Expires              Service principal
2017-04-12 13:07:18  2017-04-13 13:07:18  krbtgt/IPA.EXAMPLE@IPA.EXAMPLE
2017-04-12 13:07:39  2017-04-13 13:07:18  HTTP/master.ipa.example@IPA.EXAMPLE

[tiran]

The TGT is acquired with ipalib.krb_utils.get_principal() using KRB5_CLIENT_KTNAME. The function calls gssapi.Credentials(usage='initiate', name=None, store=None).