Make sure the device recovers from policy loss in the consumer case.

chrome/browser/chromeos/login/existing_user_controller.cc

Index: chrome/browser/chromeos/login/existing_user_controller.cc
diff --git a/chrome/browser/chromeos/login/existing_user_controller.cc b/chrome/browser/chromeos/login/existing_user_controller.cc
index 97477b4bb0e789256d08288bbe406fbc2a1d379e..8776811c11c24c1dfefb81cd2b15c30e2d25dead 100644
--- a/chrome/browser/chromeos/login/existing_user_controller.cc
+++ b/chrome/browser/chromeos/login/existing_user_controller.cc
@@ -92,6 +92,9 @@ const char kCaptivePortalLaunchURL[] = "http://www.google.com/";
 // Delay for transferring the auth cache to the system profile.
 const long int kAuthCacheTransferDelayMs = 2000;
 
+// Delay for rebooting the machine if safe-modelogin has failed.
+const long int kSafeModeRebootDelayMs = 30000;
+
 // Makes a call to the policy subsystem to reload the policy when we detect
 // authentication change.
 void RefreshPoliciesOnUIThread() {
@@ -474,7 +477,15 @@ void ExistingUserController::OnLoginFailure(const LoginFailure& failure) {
   guest_mode_url_ = GURL::EmptyGURL();
   std::string error = failure.GetErrorString();
 
-  if (!online_succeeded_for_.empty()) {
+  if (failure.reason() == LoginFailure::OWNER_REQUIRED) {
+    ShowError(IDS_LOGIN_ERROR_OWNER_REQUIRED, error);
+    content::BrowserThread::PostDelayedTask(
+        content::BrowserThread::UI, FROM_HERE,
+        base::Bind(&SessionManagerClient::StopSession,
+                   base::Unretained(DBusThreadManager::Get()->
+                                    GetSessionManagerClient())),
+        kSafeModeRebootDelayMs);
+  } else if (!online_succeeded_for_.empty()) {
     ShowGaiaPasswordChanged(online_succeeded_for_);
   } else {
     // Check networking after trying to login in case user is