Hi,

I've setup a test kerberos realm on my home network and tried to get 
forwardable tickets upon login. In /etc/krb5.conf I have:

[appdefaults]
	forwardable = yes
[libdefaults]
	forwardable = yes

kinit (with and without -f) gives me forwardable tickets however when I 
login from the console the kerberos ticket is not forwardable. Upon 
closer inspection of src/usr.bin/login/login.c I noticed the variable

int login_krb5_forwardable_tgt = 0;

This variable determines if login should request a forwardable ticket 
from the KDC and its value seems to be hard coded. By changing the value 
to 1 and recompiling login I managed to get forwardable tickets. Is this 
a missing feature or there is a reason for forwardable tickets to be 
disabled?

Thanks

-- 
Daniel Farrugia - email: dfarr@seven9.com - web: www.seven9.com