Kerberos authentication fails with forced password change

I have configured PAM authentication to use Kerberos and can authenticate correctly with my principals using their Kerberos credentials.

I ran into trouble when I tried to create a principal with an expired password:

kadmin: addprinc +needchange test_principal

When I tried logging in (either from a VT or the graphical greeter), after correctly entering the password, I got the expected message that the password has expired and the system prompted me to create a new one. After I had done that, authentication failed with this error in the kdc.log:

krb5kdc[...](info): TGS_REQ (4 etypes {18 17 16 23}) 192.168.0.200: NO PREAUTH: authtime 0, test_principal@MY.REALM for host/server.my.realm@MY.REALM, Generic error (see e-text)

and the following (not so surprising) error in /var/log/auth.log:

pam_krb5(gdm3:auth): (user test_principal) credential verfication failed: KDC returned error string: NO PREAUTH

Some notes

• Listing the principal's attributes (via getprinc in kadmin.local) shows 0 failed log in attempts
• If I create the account without the +needchange flag, I am able to authenticate correctly.
• If I add the +needchange flag (via modprinc in kadmin.local) after the user has successfully authenticated once, I get the expected behavior; namely, the user is prompted to change their password and then their authentication succeeds.
• This principal has no equivalent entry in /etc/passwd but is backed up by an LDAP entry.

• As suggested elsewhere, I tried creating my principal like this:

  kadmin: addprinc -requires_preauth +needchange test_principal
  

  This made no difference.

My use case

I'm migrating from an old NIS system and I want to offer continuity to my users. I would like to have them enter their old passwords but then be forced to change them to conform to stricter password policy rules I intend to enforce through Kerberos.

I am running MIT Kerberos V on Debian Wheezy.