diff --git a/lib/gssapi/mech/gss_krb5.c b/lib/gssapi/mech/gss_krb5.c
index 036e4f313..af1ff8515 100644
--- a/lib/gssapi/mech/gss_krb5.c
+++ b/lib/gssapi/mech/gss_krb5.c
@@ -471,10 +471,12 @@ gsskrb5_extract_authtime_from_sec_context(OM_uint32 *minor_status,
 					  time_t *authtime)
 {
     gss_buffer_set_t data_set = GSS_C_NO_BUFFER_SET;
-    unsigned char buf[4];
     OM_uint32 maj_stat;
+    krb5_error_code ret;
+    OM_uint32 time32;
 
     if (context_handle == GSS_C_NO_CONTEXT) {
+	_gsskrb5_set_status("no context handle");
 	*minor_status = EINVAL;
 	return GSS_S_FAILURE;
     }
@@ -487,22 +489,37 @@ gsskrb5_extract_authtime_from_sec_context(OM_uint32 *minor_status,
     if (maj_stat)
 	return maj_stat;
     
-    if (data_set == GSS_C_NO_BUFFER_SET || data_set->count != 1) {
+    if (data_set == GSS_C_NO_BUFFER_SET) {
+	_gsskrb5_set_status("no buffers returned");
 	gss_release_buffer_set(minor_status, &data_set);
 	*minor_status = EINVAL;
 	return GSS_S_FAILURE;
     }
 
-    if (data_set->elements[0].length != sizeof(buf)) {
+    if (data_set->count != 1) {
+	_gsskrb5_set_status("%d != 1 buffers returned", data_set->count);
 	gss_release_buffer_set(minor_status, &data_set);
 	*minor_status = EINVAL;
 	return GSS_S_FAILURE;
     }
 
-    memcpy(buf, data_set->elements[0].value, sizeof(buf));
+    if (data_set->elements[0].length != 4) {
+	gss_release_buffer_set(minor_status, &data_set);
+	_gsskrb5_set_status("Error extracting authtime from security context: "
+			    "only got %d != 4 bytes",
+			    data_set->elements[0].length);
+	*minor_status = EINVAL;
+	return GSS_S_FAILURE;
+    }
+
+    ret = _gsskrb5_decode_om_uint32(data_set->elements[0].value, &time32);
     gss_release_buffer_set(minor_status, &data_set);
-    
-    *authtime = (buf[0] <<24) | (buf[1] << 16) | (buf[2] << 8) | (buf[3] << 0);
+    if (ret) {
+	*minor_status = ret;
+	return GSS_S_FAILURE;
+    }
+
+    *authtime = time32;
 
     *minor_status = 0;
     return GSS_S_COMPLETE;