Both krb5_get_initi_creds_keytab and krb5_get_init_creds_password wil retry using the master KDC if trying against any KDC fails. It seems this logic should move into krb5_get_initi_creds.