OK I think I have figured this out.

There are two problems (at least) regarding Kerberos authentication,
when more than one request is made within the same connection.

1. The first problem is the crash that results from incomplete
   clean-up of the negotiation state.
2. After this is fixed, the second problem pops out: libcurl
   reuses the authentication header from the first request. This
   is because the allocptr.userpwd is not cleaned up between the
   first request and the second.
3. The second problem went unnoticed because of the bug (?) in
   mod_auth_kerb, which is succeptible to replay attacks. I didn't
   have another web server with Kerberos support to test against.
4. But now I have IIS, and it turns out that IIS detects the replay and
   returns 401 for the second request.

It follows that my second attempt to patch libcurl was completely wrong.
The authentication token should never be reused, and the negotiation
state should be cleaned up after each request. In addition,
allocptr.userpwd should be cleaned after each request too. As far as I
can tell it doesn't hurt other authentication methods, because their
handlers clean up this field anyway.

So there's a minimal patch of the two files that works for me. Please
feel free to criticise.

Best regards

-- 
anatoli tubman