--- a/jdk/src/java.security.jgss/share/classes/sun/security/krb5/KrbKdcRep.java	Tue Jul 21 14:18:07 2015 -0700
+++ b/jdk/src/java.security.jgss/share/classes/sun/security/krb5/KrbKdcRep.java	Tue Jul 21 18:02:36 2015 +0800
@@ -75,10 +75,11 @@
             }
         }
 
-        // XXX Can renew a ticket but not ask for a renewable renewed ticket
-        // See impl of Credentials.renew().
-        if (req.reqBody.kdcOptions.get(KDCOptions.RENEWABLE) !=
-            rep.encKDCRepPart.flags.get(KDCOptions.RENEWABLE)) {
+        // Reply to a renewable request should be renewable, but if request does
+        // not contain renewable, KDC is free to issue a renewable ticket (for
+        // example, if ticket_lifetime is too big).
+        if (req.reqBody.kdcOptions.get(KDCOptions.RENEWABLE) &&
+                !rep.encKDCRepPart.flags.get(KDCOptions.RENEWABLE)) {
             throw new KrbApErrException(Krb5.KRB_AP_ERR_MODIFIED);
         }