krb5: use plain principal if password is expired
Similar as in https://pagure.io/SSSD/sssd/issue/3426 enterprise
principals should be avoided while requesting a kadmin/changepw@REALM
principal for a password change.
Resolves https://pagure.io/SSSD/sssd/issue/3419
Reviewed-by: Fabiano FidĂȘncio <fidencio@redhat.com>