krb5: do not cache ccache or password during preauth
    
    The PAM preauth step is mainly used to determine which authentication
    methods (single factor, two factor, Smartcard) are available for the
    user. It does not make sense to try to store the password hash or the
    credential cache at this step because this information is not available
    or not accurate at this step.
    
    It might even cause issue is the credential cache name contains a random
    component. This is typically used for file based credential caches
    stored in the /tmp directory to avoid attacks to pre-create the file
    since the name is known. Since the credential cache name still contains
    the template for the random component 'XXXXXX' updating the credential
    cache name in the cache during preauth destroys the information about
    the currently used credential cache and upcoming authentications will
    create a new one.
    
    This causes issues with screen-savers or screen-lock where every
    unlocking creates a new credential cache file and not updates the
    existing one as it is expected. Another case is if a user logs in
    multiple times to the same host, e.g. with ssh. Here it is expected as
    well that the first session will create a new credential cache file
    while all additional sessions will reuse it and only update the TGT in
    the existing credential.
    
    Resolves: https://github.com/SSSD/sssd/issues/5160
    
    Reviewed-by: Alexey Tikhonov <atikhonov@redhat.com>