Correctly handle fallback in KDC OTP callback

In otp_state.c:callback(), avoid invoking the failure callback when we
fall back to the next token.  Since request_send() consumes the
request, don't try to free it.

[ghudson@mit.edu: added test case; edited commit message]

(cherry picked from commit 09c9b7d6f64767429e90ad11a529e6ffa9538043)

https://github.com/krb5/krb5/commit/4d8cd7daa15abf6a9ed4c46334968aef7d099b83
Author: Robbie Harwood <rharwood@redhat.com>
Committer: Greg Hudson <ghudson@mit.edu>
Commit: 4d8cd7daa15abf6a9ed4c46334968aef7d099b83
Branch: krb5-1.16
 src/plugins/preauth/otp/otp_state.c |    1 +
 src/tests/t_otp.py                  |   28 +++++++++++++++++++++++++---
 2 files changed, 26 insertions(+), 3 deletions(-)