krb5_change_set_password returns an error from the KDC in result_code and two error strings 
in krb5_data structures: result_code_string and result_string.

If result_code is non-zero, result_string is set to a string.  However result_code_string is 
unconditionally set to "Password change failed", even when result_code is 0.  This makes it 
difficult for the caller to figure out if it needs to call krb5_free_data_contents.

Also, krb5_change_set_password allows the caller to pass NULL for result_code_string but not result_string.  Seems like either both should be allowed to be NULL or neither.