I've just noticed that kinit is not working for several but not all accounts in our FreeIPA domain (4.4.0-14.el7.centos.7). I get the following error:
[root@caesium tiemen]# KRB5_TRACE=/dev/stdout kinit dba
[7827] 1498729905.996951: Resolving unique ccache of type KEYRING
[7827] 1498729905.997811: Sending request (167 bytes) to
I.RDMEDIA.COM[7827] 1498729906.9304: Received answer (204 bytes) from stream
10.100.110.36:88[7827] 1498729906.9621: Response was from master KDC
[7827] 1498729906.9683: Received error from KDC: -1765328359/Additional pre-authentication required
[7827] 1498729906.9780: Processing preauth types: 136, 133
[7827] 1498729906.9795: Received cookie: MIT
kinit: Generic preauthentication failure while getting initial credentials
[root@caesium tiemen]# KRB5_TRACE=/dev/stdout kinit admin
[7869] 1498730079.918191: Resolving unique ccache of type KEYRING
[7869] 1498730079.918896: Sending request (169 bytes) to
I.RDMEDIA.COM[7869] 1498730079.930832: Received answer (258 bytes) from stream
10.100.110.36:88[7869] 1498730079.930977: Response was from master KDC
[7869] 1498730079.931039: Received error from KDC: -1765328359/Additional pre-authentication required
[7869] 1498730079.931106: Processing preauth types: 136, 19, 2, 133
[7869] 1498730079.931129: Selected etype info: etype aes256-cts, salt "REDACTED", params ""
[7869] 1498730079.931139: Received cookie: MIT