HEIMDAL:lib/gssapi/krb5: add GSS_KRB5_CRED_SKIP_TRANSIT_CHECK_X

HEIMDAL:lib/gssapi/krb5: add GSS_KRB5_CRED_SKIP_TRANSIT_CHECK_X

This allows KRB5_VERIFY_AP_REQ_SKIP_TRANSITED_CHECK (on the acceptor)
to be controlled via the gssapi layer.

Members of Active Directory domains should just rely on there
KDCs (domain controllers) to do SID-Filtering (and name checking)
on trust boundaries, I have verified this with a modified Samba KDC
and a Windows 2012R2 DC. The Windows DC rejects invalid cross-realm tickets
with KRB5KDC_ERR_POLICY, before generating a new (service or referral)
ticket. So any service ticket is already policy checked by the KDC
even if this does not result in setting the transited_policy_checked in the ticket.

This means an accepting service can tell gss_accept_sec_context()
to skip any transited checking, as the trust topoligy is only
fully known to the KDC anyway.

The detailed background for this can be found in the bug report
and the mailing list:
https://lists.samba.org/archive/samba-technical/2019-September/thread.html#134285
https://lists.samba.org/archive/samba-technical/2019-November/thread.html#134553
http://mailman.mit.edu/pipermail/krbdev/ should also have references.

BUG: https://bugzilla.samba.org/show_bug.cgi?id=12907

Signed-off-by: Stefan Metzmacher <metze@samba.org>