Can you identify the specific mod_auth_krb5 source code in use in this scenario? The GSSAPI library is capable of generating more specific error messages based on the minor code, if the calling application does the right thing. The version of mod_auth_krb5 I looked at ought to generate a message based on the minor code... but it also shouldn't have needed to read from or write to a ccache when calling that function. So I'm probably looking at the wrong code.