mongokerberos makes some incorrect assumptions about how gss_acquire_creds is used. It will only use the client keytab. We sort of "trick" it by asking it to acquire a service credential even though that function is intended for use only by clients. We account for this in our JSTest by overriding the KRB5_CLIENT_KTNAME environment variable with the service's keytab, which works.

We should consider three things when fixing this bug:
1. Is manually overriding (setenv) the KRB5_CLIENT_KTNAME variable a good solution within the tool? The tool does not otherwise need to use this variable.
2. What should we do about older releases of Kerberos that do not support client keytabs?
3. What should we do, if anything, about potential warning/error messages from GSSAPI about client keytabs that may confuse users?