Deadlock when referral received for a realm in the CCACHE

[jake-scott]

When using a credential cache, the client pre-populates the session list with the entries in the cache. Of course these do not have associated auto-renew goroutines.

When trying to obtain a service ticket, it is possible to receive a referral for a realm that we stashed from the credentials cache. This results in sessions.update() hanging on i.cancel <- true because there is no associated goroutine reading the channel.

This happens if I log-in to a non-default realm (and so have a TGT in my ccache) and then ask for a ticket for a host that doesn't match a domain in domain-realms. The client uses the default realm and gets a referral back to the realm I logged into and then the code hangs.

[jake-scott]

I found the cause of this, actually two causes. First, I don't think it is right to make a TGS request to the default realm - the MIT library doesn't do that at least (see krb5_tkt_creds_init in lib/krb5/krb/get_creds.c). Fixing this to use the client's realm makes this problem go away. But in some weird configurations it would still be possible to deadlock .. so the fix for that is to not try to signal a goroutine to stop if there is no channel (and hense no goroutine).

Just submitted a PR.