Forwardable tickets - need help

[egrama]

Hi guys,
I am new to Kerberos so please bear with me and help we with this:

I am using MIT's kerberos that came with RHEL.
I want all the tickets for a particular principal to be non-
forwardable. I modified the principal accordingly using "modprinc -
allow_forrwardable <principal>"

On host A, I get a ticket with kinit and then issue a klist -f and i
have "Flags: RIA". So this ticket is not forwardable, right?
I take the ticket cache from /tmp/krb5cc_<uid> and move it to host B
in /tmp/krb5cc_<uid>. After this step, from host B I can authenticate
to other hosts without password, using only the cached ticket.

Shouldn't a non-forwardable ticket be good only on the host to which
it was issued to (host A in our example)?
The MIT website states that:
 "If a ticket is forwardable, then the KDC can issue a new ticket with
a different network address based on the forwardable ticket. This
allows for authentication forwarding without requiring a password to
be typed in again."

Is there an error in my implementation, or am I not understanding the
way kerberos authentication should work?

Thanks,
Emil