gsskrb5: Check dst-TGT pokicy at store time

Our initiator supports configuration-driven delegation of destination
TGTs.

This commit adds acceptor-side handling of destination TGT policy to
reject storing of non-destination TGTs when destination TGTs are
desired.

Currently we use the same appdefault for this.

Background:

    A root TGT is one of the form krbtgt/REALM@SAME-REALM.

    A destination TGT is a root TGT for the same realm as the acceptor
    service's realm.

    Normally clients delegate a root TGT for the client's realm.

    In some deployments clients may want to delegate destination TGTs as
    a form of constrained delegation: so that the destination service
    cannot use the delegated credential to impersonate the client
    principal to services in its home realm (due to KDC lineage/transit
    checks).  In those deployments there may not even be a route back to
    the KDCs of the client's realm, and attempting to use a
    non-destination TGT might even lead to timeouts.

lib/gssapi/krb5/duplicate_cred.c

@@ -66,7 +66,7 @@ OM_uint32 GSSAPI_CALLCONV _gsskrb5_duplicate_cred (
 
     dup = calloc(1, sizeof(*dup));
     if (dup == NULL) {
-        *minor_status = ENOMEM;
+        *minor_status = krb5_enomem(context);
         return (GSS_S_FAILURE);
     }
 
@@ -74,6 +74,14 @@ OM_uint32 GSSAPI_CALLCONV _gsskrb5_duplicate_cred (
 
     cred = (gsskrb5_cred)input_cred_handle;
     HEIMDAL_MUTEX_lock(&cred->cred_id_mutex);
+
+    dup->destination_realm = NULL;
+    if (cred->destination_realm &&
+        (dup->destination_realm = strdup(cred->destination_realm)) == NULL) {
+        *minor_status = krb5_enomem(context);
+        free(dup);
+        return (GSS_S_FAILURE);
+    }
     dup->usage = cred->usage;
     dup->endtime = cred->endtime;
     dup->principal = NULL;