The attached patch solves the problem for me.
--- libpam-krb5-2.6.orig/support.c
+++ libpam-krb5-2.6/support.c
@@ -189,14 +189,19 @@
/* Set ticket options. */
krb5_get_init_creds_opt_init(&opts);
+ if (in_tkt_service == NULL) {
#ifdef HAVE_KRB5_GET_INIT_CREDS_OPT_SET_DEFAULT_FLAGS
- krb5_get_init_creds_opt_set_default_flags(ctx->context, "pam",
- args->realm_data, &opts);
+ krb5_get_init_creds_opt_set_default_flags(ctx->context, "pam",
+ args->realm_data, &opts);
#endif
- if (args->forwardable)
- krb5_get_init_creds_opt_set_forwardable(&opts, 1);
- if (args->renew_lifetime != 0)
- krb5_get_init_creds_opt_set_renew_life(&opts, args->renew_lifetime);
+ if (args->forwardable)
+ krb5_get_init_creds_opt_set_forwardable(&opts, 1);
+ if (args->renew_lifetime != 0)
+ krb5_get_init_creds_opt_set_renew_life(&opts,
args->renew_lifetime);
+ } else {
+ krb5_get_init_creds_opt_set_forwardable(&opts, 0);
+ krb5_get_init_creds_opt_set_proxiable(&opts, 0);
+ }
/* Fill in the principal to authenticate as. */
retval = krb5_parse_name(ctx->context, ctx->name, &ctx->princ);
