The GSSAPI mechanism allows you to authenticate using Kerberos V5. The mechanism was originally designed to allow for any GSS-API mechanism to be used, but problems with the protocol made it unpractical and it is today restricted for use with Kerberos V5. See the GS2 mechanism (see GS2-KRB5) for a general solution.
In the client, the mechanism is enabled only if the user has acquired
credentials (i.e., a ticket granting ticket), and it requires the
GSASL_AUTHID, GSASL_SERVICE, and GSASL_HOSTNAME
properties.
In the server, the mechanism requires the GSASL_SERVICE and
GSASL_HOSTNAME properties, and it will invoke the
GSASL_VALIDATE_GSSAPI callback property in order to validate
the user. The callback may inspect the GSASL_AUTHZID and
GSASL_GSSAPI_DISPLAY_NAME properties to decide whether to
authorize the user. Note that authentication is performed by the
GSS-API library.
XXX: explain more about quality of service, maximum buffer size, etc.