[krbdev.mit.edu #8222] krb5_init_creds_get_error() cannot retrieve most intermediate errors

[Greg Hudson via RT]

krb5_init_creds_get_error() is patterned after a similar Heimdal 
interface (although Heimdal uses a different type to represent KRB-
ERROR messages) and is documented to "get the last error from KDC 
from an initial credentials context."  Although the precise semantics 
are not clear, the implication (as well as the Heimdal behavior) is 
that it should work to retrieve intermediate errors during a 
krb5_init_creds_step() sequence, as well as to retrieve the final 
error after the exchange is complete.

The current implementation does not allow most intermediate errors to 
be retrieved.  This is because ctx->err_reply has two purposes: it is 
used by krb5_init_creds_get_error(), and is also used by 
init_creds_step_request() to decide whether to try regular pre-
authentication or "try again with an error" pre-authentication.  
Because of that, ctx->err_reply is discarded whenever an error should 
result in regular pre-authentication; this includes PREAUTH_REQUIRED 
and MORE_PREAUTH_DATA_ERROR_REQUIERD errors, realm referrals, and 
negotiation restarts.