The GSSAPI mechanism allows you to authenticate using Kerberos V5. The mechanism was originally designed to allow for any GSS-API mechanism to be used, but problems with the protocol made it unpractical and it is today restricted for use with Kerberos V5. See the GS2 mechanism (see GS2-KRB5) for a general solution.
In the client, the mechanism is enabled only if the user has acquired
credentials (i.e., a ticket granting ticket), and it requires the
In the server, the mechanism requires the
GSASL_HOSTNAME properties, and it will invoke the
GSASL_VALIDATE_GSSAPI callback property in order to validate
the user. The callback may inspect the
GSASL_GSSAPI_DISPLAY_NAME properties to decide whether to
authorize the user. Note that authentication is performed by the
XXX: explain more about quality of service, maximum buffer size, etc.