Add GSSAPI/Kerberos authentication via Negotiate

Add GSSAPI/Kerberos authentication via Negotiate

When the service name is set via the servicename config option and
pykerberos is installed allow authentication via the negotiate header.

Since this is not using basic auth and its on top of all other
authenciation schemes its not implemented as an acl module. This will
also allow us to make the whole negotiate auth be connection based in
the future.

The current code results in the user being "user@REALM" so in case of
using "acl.personal=True" the directories need to be name like this as
well so we want to add a user to principal mapping at one point.

This has been succesfully tested with iceowl.