Comment 10 for bug 915386

I'm going to make a guess, because you didn't include the packets between KRB5KDC_ERR_KEY_EXP and KRB5KDC_ERR_PREAUTH_REQUIRED. I suspect that what happened is that AD returned the correct error that the key was expired, and the MIT libraries then went and tried to acquire a password-change token with the original password you presented. If that password was not valid, it throws an error.