In certain circumstances, such as when an authentication policy restricts getting a ticket, the KDC will send KERB-ERROR-DATA instead of METHOD-DATA. Windows clients can decode KERB-ERROR-DATA and get an NTSTATUS code, but we fail to do so.
The error messages produced by the Heimdal client look like:
“Miscellaneous failure (see text): Failed to decode METHOD-DATA (host/client@ADDOM.SAMBA.EXAMPLE.COM)”.
The Heimdal PR is here: https://github.com/heimdal/heimdal/pull/1096.
On the MIT side, krb5int_fast_process_error() looks like it can handle the e-data field not being valid METHOD-DATA.
This bug was referenced in samba master: