Hi, If a principal has the DISALLOW_FORWARDABLE attribute in the KDC, but /etc/krb5.conf has forwardable = true, then it is impossible to obtain a ticket using ksu ("KDC policy rejects request while getting initial credentials"). Would you be interested in a patch to implement a -F option (in the same way as kinit) to explicitly request a non-forwardable ticket? Cheers Toby Blake School of Informatics University of Edinburgh -- The University of Edinburgh is a charitable body, registered in Scotland, with registration number SC005336.