I took a closer look at the gic_opt fields. The following fields affect preauth and must be carried over: * Preauth list * Salt * Preauth options * FAST ccache * Input ccache * FAST flags * Responder: affects preauth, must be carried over. The canonicalize flag should also be carried over, making eight fields we must carry over. The following fields could be harmful if carried over: * Forwardable: could cause failure due to #7871 * Proxiable: same * Output ccache: we do not want to store the kadmin/changepw ticket * Anonymous: we can't change a password with an anonymous ticket * Etype list: could cause failure if kadmin/changepw has only one key. It's probably also best not to carry over the address list, making six fields we would not want to carry over. As long as we have to make changes, the ticket lifetime and renewable lifetime fields should also be set (to 300 and 0 as they are onw). The remaining two fields (change password prompt flag and expiration callback) are irrelevant as they are interpreted by gic_pwd.c.