kdc: Don’t update the PAC if we perform Services for User

kdc: Don’t update the PAC if we perform Services for User

_kdc_validate_protocol_transition() generates an entirely new PAC, and
_kdc_validate_constrained_delegation() performs its own PAC update. The
call to _kdc_pac_update() immediately beforehand thus becomes
superfluous.

Furthermore, the way Windows enforces authentication policies when
Services for User are employed means that we should only call the
plugin’s PAC update function when it is actually necessary, or we may
end up failing with ERR_POLICY errors.

Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz>