Given a Kerberos KDC configured to issue anonymous service tickets, a client with an anonymous TGT (obtained with kinit -n) fails in gss_init_sec_context when trying to authenticate to a host in the default local realm when gss_import_name is called with "host@" as the name. If gss_import_name is called with "host/" instead, this works correctly. KRB5_TRACE says: [82592] 1450814219.510525: ccselect can't find appropriate cache for server principal host/dfw3b-rm1-1b.sjc.dropbox.com@ [82592] 1450814219.510698: Getting credentials WELLKNOWN/ANONYMOUS@WELLKNOWN:ANONYMOUS -> host/dfw3b-rm1-1b.sjc.dropbox.com@ using ccache FILE:/tmp/krb5cc_1214 [82592] 1450814219.510824: Retrieving WELLKNOWN/ANONYMOUS@WELLKNOWN:ANONYMOUS -> host/dfw3b-rm1-1b.sjc.dropbox.com@ from FILE:/tmp/krb5cc_1214 with result: -1765328243/Matching credential not found [82592] 1450814219.510914: Retrying WELLKNOWN/ANONYMOUS@WELLKNOWN:ANONYMOUS -> host/dfw3b-rm1-1b.sjc.dropbox.com@WELLKNOWN:ANONYMOUS with result: -1765328243/Matching credential not found [82592] 1450814219.510926: Server has referral realm; starting with host/dfw3b-rm1-1b.sjc.dropbox.com@WELLKNOWN:ANONYMOUS [82592] 1450814219.511006: Retrieving WELLKNOWN/ANONYMOUS@WELLKNOWN:ANONYMOUS -> krbtgt/WELLKNOWN:ANONYMOUS@WELLKNOWN:ANONYMOUS from FILE:/tmp/krb5cc_1214 with result: -1765328243/Matching credential not found so it looks like what's happening is that the service ticket lookup code is getting very confused by the @WELLKNOWN:ANONYMOUS realm instead of falling back on using the local realm to get service tickets. I'm not sure why this suddenly starts working with the host/ form of name instead, although my guess is that the local default realm is automatically appended to that Kerberos principal name and that somehow unconfuses the service ticket fetch algorithm. This behavior was seen using remctl 3.10 as the client and server, in case there are any pecularities of how it calls GSS-API that are relevant. (Both available from .) The user-visible error was: $ kinit -n $ remctl dfw3b-rm1-1b.sjc.dropbox.com bootstrap help remctl: GSS-API error initializing context: Unspecified GSS failure. Minor code may provide more information, Matching credential not found -- Russ Allbery (eagle@eyrie.org)