Fix earlier fix for not passing forwardable and friends in TGS-REQs

lib/krb5/get_cred.c

@@ -172,6 +172,9 @@ init_tgs_req (krb5_context context,
 	goto fail;
     t->req_body.addresses = addresses;
     t->req_body.kdc_options = flags.b;
+    t->req_body.kdc_options.forwardable = krbtgt->flags.b.forwardable;
+    t->req_body.kdc_options.renewable = krbtgt->flags.b.renewable;
+    t->req_body.kdc_options.proxiable = krbtgt->flags.b.proxiable;
     ret = copy_Realm(&in_creds->server->realm, &t->req_body.realm);
     if (ret)
 	goto fail;
@@ -188,6 +191,15 @@ init_tgs_req (krb5_context context,
     if (ret)
 	goto fail;
 
+    if (krbtgt->times.starttime) {
+        ALLOC(t->req_body.from, 1);
+        if(t->req_body.from == NULL){
+            ret = krb5_enomem(context);
+            goto fail;
+        }
+        *t->req_body.from = in_creds->times.starttime;
+    }
+
     /* req_body.till should be NULL if there is no endtime specified,
        but old MIT code (like DCE secd) doesn't like that */
     ALLOC(t->req_body.till, 1);
@@ -197,6 +209,15 @@ init_tgs_req (krb5_context context,
     }
     *t->req_body.till = in_creds->times.endtime;
 
+    if (t->req_body.kdc_options.renewable && krbtgt->times.renew_till) {
+        ALLOC(t->req_body.rtime, 1);
+        if(t->req_body.rtime == NULL){
+            ret = krb5_enomem(context);
+            goto fail;
+        }
+        *t->req_body.rtime = in_creds->times.renew_till;
+    }
+
     t->req_body.nonce = nonce;
     if(second_ticket){
 	ALLOC(t->req_body.additional_tickets, 1);
@@ -1076,13 +1097,6 @@ _krb5_get_cred_kdc_any(krb5_context context,
 	context->kdc_usec_offset = 0;
     }
 
-    if (in_creds->flags.b.renewable)
-	flags.b.renewable = 1;
-    if (in_creds->flags.b.forwardable)
-	flags.b.forwardable = 1;
-    if (in_creds->flags.b.proxiable)
-	flags.b.proxiable = 1;
-
     ret = get_cred_kdc_referral(context,
 				flags,
 				ccache,