If you don't carefully manage your KRB5CCNAME, there is the potential 
that gss_acquire_cred_with_password() might succeed without making an 
AS request, and the creds you have might verify correctly even though 
the password was never used.

I guess that's not "completely broken" as it's possible to work around, 
but it's dangerous, and it requires mechanism-specific application 
knowledge or configuration to avoid.