Title: #438: krb5_child: Distinguish between expired & disabled AD user
Since there is the workaround with a shell wrapper I agree that it is
currently not needed to add an option to switch between the two modes. But I wonder if we
might want to enable it for IPA? There is no need to enable it globally for IPA. In
create_send_buffer() there is already some special handling for
K5C_IPA_CLIENT and K5C_IPA_SERVER. Additionally kr->upn_from_different_realm can be
used to check if the principal is from a different realm. What do you think?
Maybe I do not have strong opinion here.
Btw, a small rebase is needed as well.
Thank you rebased.
See the full comment at https://github.com/SSSD/sssd/pull/438#issuecomment-363134069