In preauth2.c, krb5_preauth_context_st mixes context-global preauth data with per-request data. The "tried" field of krb5_preauth_context_st and the "req" field of clpreauth_handle are per-request, while the "vt" and "data" fields of clpreauth_handle are context-global. Alll of this information is managed out of krb5_context, not krb5_init_creds_context. So if a caller interleaves krb5_init_creds_init/krb5_init_creds_step for different krb5_init_creds_context objects with the same krb5_context object, both operations will use the same per-request preauth data, likely causing one or both operations to fail. The per-request information should be separated out and managed out of krb5_init_creds_context.