diff -Nuar openldap-2.4.42+dfsg.orig/contrib/slapd-modules/pwd_scheme_kinit/pwd_scheme_kinit.c openldap-2.4.42+dfsg/contrib/slapd-modules/pwd_scheme_kinit/pwd_scheme_kinit.c
--- openldap-2.4.42+dfsg.orig/contrib/slapd-modules/pwd_scheme_kinit/pwd_scheme_kinit.c	2017-07-10 20:51:48.885223591 +0200
+++ openldap-2.4.42+dfsg/contrib/slapd-modules/pwd_scheme_kinit/pwd_scheme_kinit.c	2017-07-10 20:51:58.353145249 +0200
@@ -158,7 +158,7 @@
 	krb5_free_error_message(k5_ctx, msg);
 }
 
-int verify_krb5_principal(char *principal_name, char *password, Operation *op) {
+int verify_krb5_principal(char *principal_name, char *password, Operation *op, const char **text) {
 
 	int ret;
 
@@ -209,12 +209,16 @@
 			case KRB5KDC_ERR_PREAUTH_FAILED:
 			case KRB5_GET_IN_TKT_LOOP:
 				/* Authentication failed */
-				printf("Authentication failed\n");
+				if( text ) *text = "Authentication failed";
 				ret = -1;
 				goto cleanup;
 			case KRB5KDC_ERR_KEY_EXP:
 				/* Authentication ok, password expired */
-				printf("Password expired\n");
+				if( text ) *text = "Password expired";
+				ret = -1;
+				goto cleanup;
+			case KRB5KRB_AP_ERR_SKEW:
+				if( text ) *text = "Clock skew too great";
 				ret = -1;
 				goto cleanup;
 			default:
@@ -312,7 +316,7 @@
 	memcpy( password, cred->bv_val, cred->bv_len );
 	password[cred->bv_len] = '\0';
 
-	rc = verify_krb5_principal(principal, password, op);
+	rc = verify_krb5_principal(principal, password, op, text);
 	if ( rc ) {
 		ret = LUTIL_PASSWD_ERR;
 		goto done;