Krb5/PAM: Fix account lockout error handling
The krb5 provider was mapping KRB5KDC_ERR_CLIENT_REVOKED as
ERR_ACCOUNT_EXPIRED. This is incorrect as KRB5KDC_ERR_CLIENT_REVOKED is
returned by the KDC when an account lockout is in effect. When an account is
expired the kdc returns KRB5KDC_ERR_NAME_EXP.
Fix the mapping by adding a new ERR_ACCOUNT_LOCKOUT sssd_error code.
Resolves:
https://fedorahosted.org/sssd/ticket/2924
Reviewed-by: Jakub Hrozek <jhrozek@redhat.com>