In the previous comment, I meant to say S4U2Proxy, not S4U2Self.  This wrinkle cannot be ironed out, because krb5_get_credentials() can only see the evidence ticket, not the  client name within, so it cannot check the cache.