Hi, I've started to use krb5's (krb-1.6.3) gss API and it happened quite often in the first time, that this function failed for various reasons (which is not a problem so far). The function returned GSS_S_FAILURE and according to the documentation a more specific error code should be in minor_status. But in my case minor_status was always 0. I've digged a little bit in the implementation in krb5/src/lib/gssapi/krb5/accept_sec_context.c and it looks like in line 928 the minor_status is correctly set to code, which is the return value of most krb5 functions: *minor_status = code; So far this would work perfectly. Unfortunately, at the end of this function it will be overwritten: if (!verifier_cred_handle && cred_handle) { krb5_gss_release_cred(minor_status, &cred_handle); } At least in my case, the condition was always true (because I've called accept_sec_contect with verifier_cred_handle=GSS_C_NO_CREDENTIAL) and so the real error was always hidden. Because this is not very convenient (and usually the return code of krb5_gss_release_cred is much less helpful than the real error code of a previous failed function), I'd suggest to change the code like this: --- src/lib/gssapi/krb5/accept_sec_context.c +++ src/lib/gssapi/krb5/accept_sec_context.c @@ -991,7 +991,8 @@ *output_token = token; } if (!verifier_cred_handle && cred_handle) { - krb5_gss_release_cred(minor_status, &cred_handle); + int release_minor_status; + krb5_gss_release_cred(&release_minor_status, &cred_handle); } krb5_free_context(context); return (major_status); It would be great if you could review this patch and consider to apply the it. Thank you very much in advance! Best regards, Christian