diff --git a/kafka/sasl/gssapi.py b/kafka/sasl/gssapi.py
index 6a4896585..c8e4f7cac 100644
--- a/kafka/sasl/gssapi.py
+++ b/kafka/sasl/gssapi.py
@@ -1,5 +1,7 @@
 from __future__ import absolute_import
 
+import struct
+
 # needed for SASL_GSSAPI authentication:
 try:
     import gssapi
@@ -68,8 +70,8 @@ def receive(self, auth_bytes):
             client_flags = self.SASL_QOP_AUTH
             server_flags = msg[0]
             message_parts = [
-                bytes(client_flags & server_flags),
-                msg[:1],
+                struct.Struct('>b').pack(client_flags & server_flags),
+                msg[1:],
                 self.auth_id.encode('utf-8'),
             ]
             # add authorization identity to the response, and GSS-wrap
diff --git a/test/sasl/test_gssapi.py b/test/sasl/test_gssapi.py
index 893414e37..aa1d86b9e 100644
--- a/test/sasl/test_gssapi.py
+++ b/test/sasl/test_gssapi.py
@@ -32,7 +32,7 @@ def mocked_message_wrapper(msg, *args):
     while not gssapi.is_done():
         send_token = gssapi.auth_bytes()
         receive_token = send_token # not realistic, but enough for testing
-        if send_token == b'\x00cbar@foo': # final wrapped message
+        if send_token == b'\x01ompletebar@foo': # final wrapped message
             receive_token = b'' # final message gets an empty response
         gssapi.receive(receive_token)
         if client_ctx.step.call_count == 3: