krb5_get_init_creds() should not allow ticket requests where the renew_until time is less 
than the ticket expiration time.  This can easily happen if the user has a default
renew_lifetime in libdefaults.  

For example, if the user's renew_lifetime is set to 7 days in libdefaults and then the user runs 
"kinit -l 10d", then krb5_get_init_creds() will end up with a renew_until time less than the 
ticket expiration time without explicitly doing anything stupid.  

I believe a correct way to fix this is to add a check so that if this case happens, 
krb5_get_init_creds() sets the renew_until time to the larger lifetime.  Ie:

        if (request.rtime < request.till) {
            request.rtime = request.till;
        }