We make forwardable tickets the default in the [libdefaults] section of
our krb5.conf file, but we disable forwardable tickets for privileged
principals (*/root, */admin).  Authenticating to kadmin with a password
as a privileged account therefore fails on systems with our default
krb5.conf file.

In kadm5_gic_iter() when authenticating with a password, the client
library sets up krb5_get_init_creds_opt structure but doesn't set any
parameters in it.  Since the acquired credentials are going into a
memory cache specific to that client invocation, forwardable tickets are
pointless.  I think the kadmin client library should therefore force the
forwardable option (and probably the proxiable option and renewable
time) to false.