I've attached the patches I made as the file unixtimepreauth.patch.
The only comment I'd make against using it as is would be I
did not want to venture into the territory of assigning new
error codes to indicate different failure reasons and so went
in search of others that seemed reasonable analogues to what
checks were being made.

I don't know how concerned you are about this, with, for example,
malloc() failing in the existing verify_enc_timestamp() returning
success rather than failure.  ie. starve the KDC of memory and
preauth will always succeed.  Only thing is, I'm sure lots of other
things would have failed before you got that far (I hope!) because
it sounds bad when put like that.

Cheers,
Darren