Thanks for the detailed report.  This turns out to be very simple: 
krb5_get_init_creds_password() accepts a prompter parameter, while the 
deprecated krb5_get_in_tkt_with_password() always uses 
krb5_prompter_posix().  The referenced commit passes NULL for the 
prompter, so preauth modules can't prompt for additional information.  
Passing krb5_prompter_posix makes it work.  I will submit a PR.