Confusing error description when server trust anchor changes

try gss-client -mech '{ 1.3.6... }'
I believe that the error is correct and that you're passing in syntax to
gss_str_to_oid that it doesn't like.

Ah, right. Now the error is:

-------------------------------------------------------------------
# gss-client -mech '{1.3.6.1.5.5.15.1.1.17}' localhost gss@localhost "hi"
GSS-API error initializing context: Unspecified GSS failure. Minor code may provide more information
GSS-API error initializing context: Generic RADIUS failure
-------------------------------------------------------------------

It would be nice if we could make the error... less generic ;)

Why are you getting a RADIUS failure at all?
Shouldn't you be getting an EAP level failure?

I think this is the relevant chunk of FreeRADIUS output:

(11) Found Auth-Type = EAP
(11) # Executing group from file /etc/freeradius/sites-enabled/abfab-tr-idp
(11) authenticate {
(11) eap: Expiring EAP session with state 0x07d0c74c07d1d27d
(11) eap: Finished EAP session with state 0x07d0c74c07d1d27d
(11) eap: Previous EAP request found for state 0x07d0c74c07d1d27d, released from the list
(11) eap: Peer sent packet with method EAP NAK (3)
(11) eap: Peer NAK'd indicating it is not willing to continue
(11) eap: Sending EAP Failure (code 4) ID 1 length 4
(11) eap: Failed in EAP select
(11) [eap] = invalid
(11) } # authenticate = invalid
(11) Failed to authenticate the user
(11) Using Post-Auth-Type Reject

... but, I'll attach a fuller copy of the log messages for you, in case my guess of the relevant part is wrong.

FreeRADIUS log of an attempt that failed because of a mismatched server cert fingerprint.