kdc_preauth.c on the 1.3 branch has the following, which should
prevent the problem.

    /* pa system was not found, but principal doesn't require preauth */
    if (!pa_found &&
        !isflagset(client->attributes, KRB5_KDB_REQUIRES_PRE_AUTH) &&
        !isflagset(client->attributes, KRB5_KDB_REQUIRES_HW_AUTH))
       return 0;

The code has been there since 1999.  Is this a case of the request
containing preauth the that fails to verify, rather than being a case
of preauth being submitted that the KDC does not understand?

---Tom