When using gss_export_sec_context on a security context that was created using impersonated credentials, gss_export_sec_context segfaults. The problem is that it assumes that if ctx->initiator exists then ctx->initiator->ad_context exists which doesn't appear to be the case when impersonated credentials were used. The following changes fixed it for us. --- krb5/src/lib/gssapi/krb5/ser_sctx.c (revision 41102) +++ krb5/src/lib/gssapi/krb5/ser_sctx.c (working copy) @@ -357,7 +357,7 @@ initiator_name = ctx->initiate ? ctx->here : ctx->there; - if (initiator_name) { + if (initiator_name && initiator_name->ad_context) { kret = krb5_size_opaque(kcontext, KV5M_AUTHDATA_CONTEXT, initiator_name->ad_context, @@ -534,7 +534,7 @@ initiator_name = ctx->initiate ? ctx->here : ctx->there; - if (initiator_name) { + if (initiator_name && initiator_name->ad_context) { kret = krb5_externalize_opaque(kcontext, KV5M_AUTHDATA_CONTEXT, initiator_name->ad_context, @@ -767,6 +767,8 @@ (krb5_pointer *)&initiator_name->ad_context, &bp, &remain); + if (kret == EINVAL) + kret = 0; } } /* Get trailer */