When pre-auth mechanisms reported in an AS-REQ/AS-REP exchange between Kerberos initiator and a KDC, there is no way to tell what they are except knowing them by heart.

It would be nice to have KRB5_TRACE to provide a name of a preauth module that handles a specific mechanism.

An example:
$ KRB5_TRACE=/dev/stderr kinit abbra
[30477] 1517302644.484474: Resolving unique ccache of type KEYRING
[30477] 1517302644.484475: Getting initial credentials for abbra
[30477] 1517302644.484477: Sending request (183 bytes) to FEDORAPROJECT.ORG
[30477] 1517302644.484478: Resolving hostname id.fedoraproject.org
[30477] 1517302645.51056: TLS certificate name matched "id.fedoraproject.org"
[30477] 1517302645.51057: Sending HTTPS request to https 140.211.169.206:443
[30477] 1517302645.51058: Received answer (317 bytes) from https 140.211.169.206:443
[30477] 1517302645.51059: Terminating TCP connection to https 140.211.169.206:443
[30477] 1517302646.200324: Response was not from master KDC
[30477] 1517302646.200325: Received error from KDC: -1765328359/Additional pre-authentication required
[30477] 1517302646.200328: Processing preauth types: 16, 15, 14, 136, 19, 147, 2, 133

In the line above we have a list of preauth types returned by the KDC but no explanation on what the preauth modules could handle them.

[30477] 1517302646.200329: Selected etype info: etype aes256-cts, salt " !;%S"YOH=nT;>h>", params ""
[30477] 1517302646.200330: Received cookie: MIT
Password for abbra: 
[30477] 1517302651.883541: AS key obtained for encrypted timestamp: aes256-cts/02B4
[30477] 1517302651.883543: Encrypted timestamp (for 1517302651.177437): plain 301AA011180F32303138303133303038353733315AA105020302B51D, encrypted A62EAB9C8913CCE3C6B7E955B830510CC42F565DF925A63C97E6178EC245F17D4C871148DECA652E9A64120ED608E8283E06C9B284B4EEEE
[30477] 1517302651.883544: Preauth module encrypted_timestamp (2) (real) returned: 0/Success
[30477] 1517302651.883545: Produced preauth for next request: 133, 2

Here we chose two modules for next request but only one module explains its preauth type. It would be good to have all of them covered.

[30477] 1517302651.883546: Sending request (278 bytes) to FEDORAPROJECT.ORG
[30477] 1517302651.883547: Resolving hostname id.fedoraproject.org
[30477] 1517302652.258952: TLS certificate name matched "id.fedoraproject.org"
[30477] 1517302652.258953: Sending HTTPS request to https 209.132.190.2:443
[30477] 1517302652.258954: Received answer (743 bytes) from https 209.132.190.2:443
[30477] 1517302652.258955: Terminating TCP connection to https 209.132.190.2:443
[30477] 1517302653.408571: Response was not from master KDC
[30477] 1517302653.408572: Processing preauth types: 19

Here we get another preauth type response but no explanation of the module handling the type.

[30477] 1517302653.408573: Selected etype info: etype aes256-cts, salt " !;%S"YOH=nT;>h>", params ""
[30477] 1517302653.408574: Produced preauth for next request: (empty)
[30477] 1517302653.408575: AS key determined by preauth: aes256-cts/02B4
[30477] 1517302653.408576: Decrypted AS reply; session key is: aes256-cts/01D7
[30477] 1517302653.408577: FAST negotiation: available

Having preauth module name annotated next to the preauth type could help with debugging and also to support cases.