If the credential cache is readonly or otherwise unwritable, krb5_get_credentials() should not fail. The use of a credential cache is simply an optimization not a requirement. In the 1.6 series this is handled correctly for the simple case but fails for the cross-realm case. The fix is to remove the assignment "retval = rv2" In the krb5_get_credentials() loop: if (tgts) { register int i = 0; krb5_error_code rv2; while (tgts[i]) { if ((rv2 = krb5_cc_store_cred(context, ccache, tgts[i]))) { retval = rv2; break; } i++; } krb5_free_tgt_creds(context, tgts); } On the trunk this bug was introduced in all cases. Whenever krb5_cc_store_cred() is called and fails, the error code is checked and returned. The fix is to never check and return the error code. See src/lib/krb5/krb/get_creds.c step_referrals(), step_get_tgt(), and complete().