MIT Kerberos 1.10 (including pre-releases and betas) exposed a bug in the tracking of preauth mechanisms such that, if an authentication fails after preauth was requested, all subsequent preauth-required authentications in the same Kerberos context will also fail.
This breaks password change when credentials have expired, and also breaks try_first_pass functionality in Kerberos PAM modules.
Upstream has fixed this problem in their mainline with commit 25822.
MIT Kerberos 1.10 (including pre-releases and betas) exposed a bug in the tracking of preauth mechanisms such that, if an authentication fails after preauth was requested, all subsequent preauth-required authentications in the same Kerberos context will also fail.
This breaks password change when credentials have expired, and also breaks try_first_pass functionality in Kerberos PAM modules.
Upstream has fixed this problem in their mainline with commit 25822.