The current implementation of krb5_get_error_string(krb5_context) will reset the context->error_string to NULL and return error_string. So if some code calls this function second time the error string will be NULL. I wonder if it can be simply strdup()-ed and returned to the caller, to make the function indempotent.
The reason is that sometimes an error may be inspected in multiple code components. Each unit of code may want to independently produce debugging message and call this function to get krb5 context error string. Since the caller is expected to call krb5_free_error_string(), it seems to me a strdup() should be OK.