frontend: simplify the GSSAPI/FAS login logic
This fixes error 500 for the first login over GSSAPI, with disabled FAS
and LDAP. In such case we newly set user.openid_groups to empty set.
Drop the krb5_login table, it was originally meant to provide multiple
Kerberos instances in one Copr (it was meant to map multiple kerbeoros
names into one Copr username).
Make the UserAuth.user_object() more self-standing, so it gets or
creates a new user, and sets (when needed) the metadata.
Merges: #2368