kerberos: Don't start daemon unnecessarily

This CL makes sure that the Kerberos system daemon is not started
unnecessarily if there are no Kerberos accounts.

BUG=chromium:963824
TEST=Log into Chromebook with enabled KerberosEnabled policy, but no
     existing accounts (neither through KerberosAccounts policy nor
     added manually). Open ssh console (e.g. CTRL + ALT + -->), verify
     that 'ps -A | grep kerberos' does not show a Kerberos process.

Change-Id: I6b8b4cfd1f50a6b9abc97b8b72fa322fdb83cfc5
Reviewed-on: https://chromium-review.googlesource.com/c/chromium/src/+/1720770Reviewed-by: A Olsen <olsen@chromium.org>
Commit-Queue: Lutz Justen <ljusten@chromium.org>
Cr-Commit-Position: refs/heads/master@{#681272}

chrome/browser/chromeos/kerberos/kerberos_credentials_manager.cc

@@ -791,17 +791,21 @@ void KerberosCredentialsManager::UpdateAccountsFromPref() {
   if (!IsKerberosEnabled()) {
     VLOG(1) << "Kerberos disabled";
     NotifyRequiresLoginPassword(false);
-    // All managed accounts have already been removed here. No need to call
-    // RemoveAllManagedAccountsExcept().
+    // All managed accounts have already been removed here.
+    // No need to call RemoveAllManagedAccountsExcept().
     return;
   }
 
-  // Principal names of all accounts added.
   const base::Value* accounts = local_state_->GetList(prefs::kKerberosAccounts);
-  if (!accounts) {
-    VLOG(1) << "No KerberosAccounts policy";
+  if (!accounts || accounts->GetList().empty()) {
+    VLOG(1) << "No or empty KerberosAccounts policy";
     NotifyRequiresLoginPassword(false);
-    RemoveAllManagedAccountsExcept({});
+
+    // https://crbug.com/963824: The active principal is empty if there are no
+    // accounts, so no need to remove accounts. It would just up the daemon
+    // unnecessarily.
+    if (!GetActivePrincipalName().empty())
+      RemoveAllManagedAccountsExcept({});
     return;
   }