Rework internal error handling to use Kerberos errors
Now that we've dropped the old API, we can drop the error handling mode, which predates rich Kerberos errors. Replace it with use of krb5_set_error_message everywhere, and change a lot of functions to return a krb5_error_code instead of a boolean or some special status code. As part of this change, all password changes are queued for Active Directory if they fail regardless of the reason for the failure.
Showing with 478 additions and 450 deletions