gssproxy: Don't refresh expired delegated credentials
    
    `mod_auth_gssapi` exports delegated credentials into `/run/ipa/ccaches`
    and pass down that path as `KRB5CCNAME` env variable to WSGI worker.
    
    GSSProxy in turn, protects these credentials from direct usage of
    `ipa-api`. But the configuration of `service/ipa-api` (in particular,
    'cred_store = client_keytab:/var/lib/ipa/gssproxy/http.keytab') and
    default GSS name ('=None') dictates to refresh expired credentials
    with the client's keytab overwriting the origin credentials with
    initial credentials of keytab's principal.
    
    Signed-off-by: Stanislav Levin <slev@altlinux.org>
    Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>