This is a side effect of converting encrypted timestamp from a hardcoded preauth type handler to a built-in module. When a hardcoded preauth handler fails (in 1.10 and prior) and it's of type PA_REAL, it causes a complete failure of the AS exchange and its error code is passed down to the caller of krb5_get_init_creds. This allows s4u_creds.c to detect the return value from its gak function. When a preauth module method fails, its code is ignored and the loop continues to try other padata items. krb5_do_preauth returns 0 with got_real == FALSE, which causes init_creds_step_request to return KRB5_PREAUTH_FAILED, which is not recognized by s4u_creds.c. The fake gak function's error can still be seen by s4u_creds.c in the case where the KDC returns an AS reply instead of a preauth-required error. In that case, get_init_creds invokes the gak function to decrypt the AS reply and passes its error code down to the caller. The suggested patch is basically correct. However, two related harmless bugs should be fixed: * The fake gak function should return a com_err code (probably KRB5_PREAUTH_FAILED), not a Kerberos protocol error number. * There is no point in testing for a KDC_ERR_PREAUTH_REQUIRED return value, as that is another Kerberos protocol error number and will never be generated by get_init_creds.