In a cross-realm situation the client KDC exchange may use on orphaned strengthen_key (from the previous exchange) if the current KDC doesn't not support FAST and the previous KDC supported it.
This bug was referenced in samba master: 67bdc922f9836779f1b37805575c5c4eea9ba3e6 12b623088cf48cf9e4a046441810ef20e1f079b8 2db7589d69abebad16b66d933114367f815d5fc3 f1a71e24864367a55a30813dd642e7ef392b5ac9 9b48e7f7eda5e368c1192d562c268885c1f68d8b
This bug was referenced in samba v4-16-test: 2aa95f782037be279b093df5b3f9cbe4f1c44ab3 9aa78f15fd6f4796657246d09dab883a717de6f6 4643536739464a1f1c49ca780ae34a1c8f6df360 e6196c456c1d9635376fcc5565b9f67e2e7cf65a 9d819c9359f35758219ee78ef0ade3828a9d8135
Fixed via #15002
This bug was referenced in samba v4-16-stable (Release samba-4.16.0): 2aa95f782037be279b093df5b3f9cbe4f1c44ab3 9aa78f15fd6f4796657246d09dab883a717de6f6 4643536739464a1f1c49ca780ae34a1c8f6df360 e6196c456c1d9635376fcc5565b9f67e2e7cf65a 9d819c9359f35758219ee78ef0ade3828a9d8135