Set credential options properly to verify expired passwords
When verifying that an expired password can still be used to get
kadmin/changepw credentials, correctly set the credential options for
getting password change credentials, not for getting initial
credentials. This should fix password change issues when, for
example, krb5.conf requests that all tickets be proxiable but
kadmin/changepw doesn't allow proxiable credentials. Thanks to
Florian Best for the bug report.