[krbdev.mit.edu #6108] A client can fail to get initial creds if it changes the password while doing so.

[Greg Hudson via RT]

Hi, sorry to take so long to look into this, and thanks for your report.
 I haven't tried reproducing your problem, so apologies if I'm just
confusing myself, but I don't see how your scenario can pan out.  Here
is what I would expect to happen:

1. Client contacts slave KDC, gets KRB5KDC_ERR_KEY_EXP.

2. Client retries with master KDC, setting use_master to 1 (line 159). 
It gets back KRB5KDC_ERR_KEY_EXP again.  Because that value is not one
of KRB5_KDC_UNREACH, KRB5_REALM_CANT_RESOLVE, or KRB5_REALM_UNKNOWN
(line 178), use_master remains 1.

3. Client gets kadmin/changepw tickets from the master, because
use_master is still 1.

4. Client changes password.

5. Client gets a TGT from the master (use_master is still 1).

Your suggested solution would only take effect in a more unlikely
scenario, where in step 2 the client is unable to contact the master KDC
and thus resets use_master to 0, but is able to change the password.

The other part of your bug report appears to be that preauth can fail
when talking to a slave with an out-of-date key.  I can see how that
might be true but want to talk about it with other people first.