Avoid draft 9 fallback after PKINIT failure

If a KDC offers both RFC 4556 and draft 9 PKINIT, and we experience a
client-side failure trying RFC 4556 PKINIT (e.g. due to the user
entering the wrong PKCS #11 PIN), do not try to use draft 9 PKINIT.

https://github.com/krb5/krb5/commit/0963fa5f0d01d81d3c4088088b94c455f033e921
Author: Greg Hudson <ghudson@mit.edu>
Commit: 0963fa5f0d01d81d3c4088088b94c455f033e921
Branch: master
 src/plugins/preauth/pkinit/pkinit.h       |    1 +
 src/plugins/preauth/pkinit/pkinit_clnt.c  |    7 +++++++
 src/plugins/preauth/pkinit/pkinit_trace.h |    2 ++
 src/tests/t_pkinit.py                     |    8 ++++++++
 4 files changed, 18 insertions(+), 0 deletions(-)