I think this is actually a server bug. The kpasswd server should be returning a soft error on a password quality failure and a hard error otherwise. It was doing the right thing up until 1.7 when RFC 3244 was implemented, at which point the result codes were accidentally switched.