Comment 6 for bug 915386

'generic preauthentication failure' == KRB5KDC_ERR_PREAUTH_FAILED (Which is therefore different from KRB5KDC_ERR_KEY_EXP. So yeah, the Active Directory server is not sending the correct response from the KDC. We can't do anything about that (since KRB5KDC_ERR_PREAUTH_FAILED is the same error code used for an incorrect password).

File a bug with Microsoft. This isn't an issue in SSSD.