* Maybe use krb5_aname_to_localname to do principal/login mapping?
* Ensure we're compliant with the PAM docs wrt return values.  It's not the
  RFC, but it's something.
* Add support for account expiration.
