I believe there might be a marginally useful meaning to
KRB5_TC_OPENCLOSE: get a ccache handle, unset this flag, unlink(2) the
file, and now you can keep using that ccache even if the underlying
file cannot be opened.
I don't think that is _actually_ useful, but maybe someone actually
depends on that? I doubt it, but I'd be curious to know if anyone
Mind you, that semantic can be preserved easily enough while still the
thread-safety issues w.r.t. KRB5_TC_OPENCLOSE: just use dup(2) or
similar in krb5_fcc_start_seq() if there's an open fd in the ccache
handle (else open(2) the file), store that fd in the cursor, and use
that while iterating creds in krb5_fcc_next_cred().