Storing the old machine account password when the machine account password changes

[Richard Sharpe]

Hi,

I have seen two vendors now who are storing the old machine account
password when the machine account password changes.

This seems to be to handle the following situation:

Lots of clients have tickets cached that were generated when the old
machine account password was valid but when they present them,
authentication fails. They try both passwords and allow authentication
to succeed if either password is successful.

What is the correct thing to do there? Should Samba return something
like krb5kdc_err_service_revoked when this happens (which would
require that it cache the previous machine account password) or is
there a standard way to deal with this error that the people doing
this do not understand?

-- 
Regards,
Richard Sharpe
(何以解憂？唯有杜康。--曹操)