--- old/src/share/classes/sun/security/krb5/KrbKdcRep.java	2018-09-19 13:52:42.392194356 +0530
+++ new/src/share/classes/sun/security/krb5/KrbKdcRep.java	2018-09-19 13:52:42.024194356 +0530
@@ -75,10 +75,11 @@
             }
         }
 
-        // XXX Can renew a ticket but not ask for a renewable renewed ticket
-        // See impl of Credentials.renew().
-        if (req.reqBody.kdcOptions.get(KDCOptions.RENEWABLE) !=
-            rep.encKDCRepPart.flags.get(KDCOptions.RENEWABLE)) {
+        // Reply to a renewable request should be renewable, but if request does
+        // not contain renewable, KDC is free to issue a renewable ticket (for
+        // example, if ticket_lifetime is too big).
+        if (req.reqBody.kdcOptions.get(KDCOptions.RENEWABLE) &&
+                !rep.encKDCRepPart.flags.get(KDCOptions.RENEWABLE)) {
             throw new KrbApErrException(Krb5.KRB_AP_ERR_MODIFIED);
         }
         if ((req.reqBody.from == null) || req.reqBody.from.isZero())