The mechglue for gss_accept_sec_context suppresses error tokens which means that an initiator who is waiting for a response after receiving GSS_S_CONTINUE-_NEEDED is never notified that there's a problem. It appears the code has been this way ever since the mechglue was introduced. This fixes it for me: Index: g_accept_sec_context.c =================================================================== --- g_accept_sec_context.c (revision 42878) +++ g_accept_sec_context.c (working copy) @@ -385,9 +385,6 @@ free(union_ctx_id); } - if (output_token->length) - (void) gss_release_buffer(&temp_minor_status, output_token); - if (src_name) *src_name = GSS_C_NO_NAME;