Fix security hole when Kerberos credential caching is enabled
The prior PAM stack configuration, while unfortunately present in many online examples, allows storing of an arbitrary cached password for non-Kerberos users by simply entering it twice

diff --git a/src/libtdeldap.cpp b/src/libtdeldap.cpp
index 5309ecb..d051ad2 100644
--- a/src/libtdeldap.cpp
+++ b/src/libtdeldap.cpp
@@ -4087,7 +4087,7 @@
 		stream << "auth sufficient pam_unix.so nullok try_first_pass" << "\n";
 		stream << "auth [default=ignore success=1 service_err=reset] pam_krb5.so ccache=/tmp/krb5cc_%u use_first_pass" << "\n";
 		if (pamConfig.enable_cached_credentials) {
-			stream << "auth [default=bad success=ok] pam_ccreds.so action=validate use_first_pass" << "\n";
+			stream << "auth [default=die success=done] pam_ccreds.so action=validate use_first_pass" << "\n";
 			stream << "auth sufficient pam_ccreds.so action=store use_first_pass" << "\n";
 		}
 		stream << "auth required pam_deny.so" << "\n";