[krbdev.mit.edu #7136] S4U2Self using kvno broken in 1.10.1, but not in 1-9.3

[Greg Hudson via RT]

This is a side effect of converting encrypted timestamp from a hardcoded 
preauth type handler to a built-in module.

When a hardcoded preauth handler fails (in 1.10 and prior) and it's of 
type PA_REAL, it causes a complete failure of the AS exchange and its 
error code is passed down to the caller of krb5_get_init_creds.  This 
allows s4u_creds.c to detect the return value from its gak function.

When a preauth module method fails, its code is ignored and the loop 
continues to try other padata items.  krb5_do_preauth returns 0 with 
got_real == FALSE, which causes init_creds_step_request to return 
KRB5_PREAUTH_FAILED, which is not recognized by s4u_creds.c.

The fake gak function's error can still be seen by s4u_creds.c in the 
case where the KDC returns an AS reply instead of a preauth-required 
error.  In that case, get_init_creds invokes the gak function to decrypt 
the AS reply and passes its error code down to the caller.

The suggested patch is basically correct.  However, two related harmless 
bugs should be fixed:

* The fake gak function should return a com_err code (probably 
KRB5_PREAUTH_FAILED), not a Kerberos protocol error number.

* There is no point in testing for a KDC_ERR_PREAUTH_REQUIRED return 
value, as that is another Kerberos protocol error number and will never 
be generated by get_init_creds.