Hello, I've just encountered a minor bug in krb5-1.2.6 (and 1.2.5) in src/lib/krb5/krb/gic_keytab.c. Lines 109-113 read: /* if the master is unreachable, return the error from the slave we were able to contact */ if ((ret2 == KRB5_KDC_UNREACH) || (ret == KRB5_REALM_CANT_RESOLVE)) goto cleanup; Line 112 should almost certainly read if ((ret2 == KRB5_KDC_UNREACH) || (ret2 == KRB5_REALM_CANT_RESOLVE)) instead. The effect of this bug is that, when we can't find the master KDC for a realm, other errors get masked as KRB5_REALM_CANT_RESOLVE instead of the real error. I found this when attempting to get a krbtgt from a realm that is served by an Active Directory server. There's no "admin_server" entry in my krb5.conf for that realm, and there are no DNS service entries (that I can resolve) for it, either; just kdc and kpasswd entries for it. Adding a (bogus) admin_server entry to the kdc.conf causes the real error to be returned. Thanks. -- Ben Cox