Comment 0 for bug 988520

MIT Kerberos 1.10 (including pre-releases and betas) exposed a bug in the tracking of preauth mechanisms such that, if an authentication fails after preauth was requested, all subsequent preauth-required authentications in the same Kerberos context will also fail.

This breaks password change when credentials have expired, and also breaks try_first_pass functionality in Kerberos PAM modules.

Upstream has fixed this problem in their mainline with commit 25822.