kdc: APPLE disable enable-pkinit by default as documented

commit 4d48b172ab ("add pkinit
configration for btmm") introduced automatic configuration of
the 'pkinit_kdc_identity' and 'pkinit_kdc_friendly_name' on macOS
but also modified the default for the 'enable_pkinit' setting
such that pkinit is enabled on all __APPLE__ platforms overriding
the [kdc] enable-pkinit setting obtained from the configuration.

This change modifies the enable-pkinit behavior on __APPLE__ platforms
to match those on every other platform.  __APPLE__ platforms will
continue to auto-configure the [kdc] pkinit_identity and
[kdc] pkinit_anchors if they are not specified in the configuration.

kdc/default_config.c

@@ -413,9 +413,8 @@ KDC_LIB_FUNCTION krb5_error_code KDC_LIB_CALL
 krb5_kdc_pkinit_config(krb5_context context, krb5_kdc_configuration *config)
 {
 #ifdef PKINIT
+    if (config->enable_pkinit) {
 #ifdef __APPLE__
-    config->enable_pkinit = 1;
-
 	if (config->pkinit_kdc_identity == NULL) {
 	    if (config->pkinit_kdc_friendly_name == NULL)
 		config->pkinit_kdc_friendly_name =
@@ -424,10 +423,8 @@ krb5_kdc_pkinit_config(krb5_context context, krb5_kdc_configuration *config)
 	}
 	if (config->pkinit_kdc_anchors == NULL)
 	    config->pkinit_kdc_anchors = strdup("KEYCHAIN:");
-
 #endif /* __APPLE__ */
 
-    if (config->enable_pkinit) {
 	if (config->pkinit_kdc_identity == NULL)
 	    krb5_errx(context, 1, "pkinit enabled but no identity");