krb5_child: Distinguish between expired & disabled AD user
Active directory return krb5 error code KRB5KDC_ERR_CLIENT_REVOKED
"-1765328366/Clients credentials have been revoked" for expired and
disabled user. This is difference between AD and IPA
https://pagure.io/SSSD/sssd/issue/2924.
Therefore we need to distinguish between these two states.
AD provides krb5 error data together with krb5 error code.
They contains KERB-EXT-ERROR which is documeted in
"[MS-KILE]: Kerberos Protocol Extensions"[1] and contains
NTSTATUS in KERB-EXT-ERROR
The function sss_krb5_get_init_creds_password is simpler version
of krb5_get_init_creds_password and there is a small difference
that the krb5 native API actually retries by locating a KDC master server
if the initial attempt fails and the KDC that was contacted is not a master
KDC. Special version for AD(and even IPA) is not a issue. Retry will be
no-op because every server is considered a master (or no masters exist at
all in DNS SRV records
[1] https://msdn.microsoft.com/en-us/library/cc233855.aspx
Resolves:
https://pagure.io/SSSD/sssd/issue/3198
Reviewed-by: Sumit Bose <sbose@redhat.com>