[krbdev.mit.edu #7136] S4U2Self using kvno broken in 1.10.1, but not in 1-9.3

[Michael Morony via RT]

I'm using kvno to get some tickets using protocol transition (S4U2Self) 
with a Win2k3 KDC.
Essentially I am running the following 3 shell commands

kdestroy
kinit -k -t my_keytab delegate_user
kvno -k my_keytab -U fakeuser -P delegate_user cifs/2008FileServer

Idea being for to get a service ticket for cifs for user "fakeuser".

Version 1.9.3 works fine. (Compiled from MIT source on ubuntu)

output is:
delegate_user at TEST.MYDOMAIN.COM: kvno = 2, keytab entry valid
cifs/2008FileServer at TEST.MYDOMAIN.COM: kvno = 2, keytab entry valid

Version 1.10.1 does not (Again, compiled from MIT source)

output is:

kvno: Generic preauthentication failure while getting credentials for 
delegate_user at TEST.MYDOMAIN.COM
kvno: Generic preauthentication failure while getting credentials for 
cifs/2008FileServer at TEST.MYDOMAIN.COM

Reason being : some error code returns have changed in the krb5 lib and 
the s4u
code no longer does what it is supposed to, as it can't properly handle 
KRB5_PREAUTH_FAILED.

The difference in packet flow is : for 1.9.3 you see AS-REQ, then AS-REP 
with preauth required, but it then
goes and does a TGS REQ S4U style as required. For 1.10.1 you just see 
two AS-REQ/AS-REP asking for preauth, then it just fails.

The fix below works for me, is there a better way or should it be fixed 
elsewhere ?

diff --git a/src/lib/krb5/krb/s4u_creds.c b/src/lib/krb5/krb/s4u_creds.c
index e4cc8a1..dd2c7d0 100644
--- a/src/lib/krb5/krb/s4u_creds.c
+++ b/src/lib/krb5/krb/s4u_creds.c
@@ -120,7 +120,8 @@ s4u_identify_user(krb5_context context,
&use_master, NULL);
      if (code == 0 ||
          code == KDC_ERR_PREAUTH_REQUIRED ||
-        code == KDC_ERR_PREAUTH_FAILED) {
+        code == KDC_ERR_PREAUTH_FAILED ||
+        code == KRB5_PREAUTH_FAILED) {
          *canon_user = userid.user;
          userid.user = NULL;
          code = 0;