Make kadm5_lock() and unlock work, and add kadmin commands for them.

The libkadm5 functions hdb_open() and close around all HDB ops.  This
meant the previous implementation of kadm5_lock() and unlock would
always result in a core dump.  Now we hdb_open() for write in
kadm5_lock() and hdb_close() in kadm5_unlock(), with all kadm5_s_*()
functions now not opening nor closing the HDB when the server context
keep_open flag is set.

Also, there's now kadmin(8) lock and unlock commands.  These are there
primarily as a way to test the kadm5_lock()/unlock() operations, but
MIT's kadmin.local also has lock/unlock commands, and these can be
useful for scripting (though they require much care).

lib/kadm5/kadm5_err.et

@@ -63,3 +63,5 @@ error_code DECRYPT_USAGE_NOSUPP,	"Given usage of kadm5_decrypt() not supported"
 error_code POLICY_OP_NOSUPP,	"Policy operations not supported"
 error_code KEEPOLD_NOSUPP,	"Keep old keys option not supported"
 error_code AUTH_GET_KEYS,	"Operation requires `get-keys' privilege"
+error_code ALREADY_LOCKED,	"Database already locked"
+error_code NOT_LOCKED,		"Database not locked"