Work around kernel keyring inaccessibility
On EL7, Kerberos uses the kernel keyring, which is not available without tweaking the docker seccomp options (see https://docs.docker.com/engine/security/seccomp/).
As a workaround, set the environment variable
KRB5CCNAME="FILE:/tmp/tgt"
as suggested by
https://blog.tomecek.net/post/kerberos-in-a-container/.