I can’t find the original email chain/bug report, but based on some side discussions at KIT 2013, I am sending an update.

Something in the wire protocol has changed which might affect certain legacy Solaris clients. Principals which have preauth required might encounter an issue on clients talking to Kerberos 1.11 KDC servers where the PAM stack will crash, whereas with Kerberos 1.10 KDC there isn’t a problem.

The problem only seems to manifest on Solaris 10 systems which are lacking a Sun patch:

124235-02 or higher (SPARC Solaris 10)

124236-02 or higher (x86 Solaris 10)

I never actually was able to trace the cause of the issue, but this was first noticed and fixed in 2006-2007 and the portion of the Sun patch which is relevant is the GSS mech_krb5.so module.

Hopefully, this update will help others who might encounter the same issue in the future, especially since 1.10 is likely nearing its end-of-support date.