Description of problem:
When setting up krb5_map_user, I'd like to optionally set an additional constraint - the kerberos principal which maps to the UNIX username must be present in .k5login.

I'd expect this setting to be optional and off by default.

Version-Release number of selected component (if applicable): sssd 1.13.0

How reproducible: New feature request

Steps to Reproduce:
1. create user account example on myhostname
2. echo 'someuser@EXAMPLE.COM' > ~example/.k5login
3. configure sssd setting krb5_map_user = example:otheruser
4. enable ssh login with kerberos authentication
5. kinit someuser@EXAMPLE.COM
6. ssh example@myhostname
7. login via GDM into an X session as example on myhostname with password of otheruser
8. kinit otheruser@EXAMPLE.COM
9. ssh example@myhostname
10. user is prompted for password

Access is denied for otheruser's kerberos ticket, but not for password.

Actual results:
Authentication occurring over ssh via $HOME/.k5login has no method to ensure consistency with krb5_map_user.
Sys Admin ends up with odd questions from users which are somewhat difficult to debug.

Expected results:
Ultimately, I'm trying to ensure that the mapping put into place by root can be specifically disabled by the end user.

Additional info:

man sssd-krb5 (sssd v.1.13.0):
krb5_map_user (string)

    The list of mappings is given as a comma-separated list of pairs “username:primary” where “username” is a UNIX user name and “primary” is a user part of a kerberos principal. This mapping is used when user is authenticating using “auth_provider = krb5”.

    example:

    krb5_realm = REALM
    krb5_map_user = joe:juser,dick:richard

    “joe” and “dick” are UNIX user names and “juser” and “richard” are primaries of kerberos principals. For user “joe” resp. “dick” SSSD will try to kinit as “juser@REALM” resp. “richard@REALM”.