krb5_child: fix permissions during SC auth
For PKINIT we might need access to the pcscd socket which by default is
only allowed for authenticated users. Since PKINIT is part of the
authentication and the user is not authenticated yet, we have to use
different privileges and can only drop it only after the TGT is
received. The fast_uid and fast_gid are the IDs the backend is running
with. This can be either root or the 'sssd' user. Root is allowed by
default and the 'sssd' user is allowed with the help of the
sssd-pcsc.rules policy-kit rule. So those IDs are a suitable choice. We
can only call switch_creds() because after the TGT is returned we have
to switch to the IDs of the user to store the TGT.
The final change to the IDs of the user is not only important for KCM
type credential caches but for file based ccache types like FILE or DIR
as well.
Related to https://pagure.io/SSSD/sssd/issue/3903
Reviewed-by: Jakub Hrozek <jhrozek@redhat.com>