On Solaris 9 I'm having an issue where --negotiate isn't working because
the wrong mechanism is being used. The error I see is:

gss_init_sec_context() failed: : mech_dh: No secret key

The problem can be fixed by re-ordering /etc/gss/mech to have kerberos
first (it is currently one of the Diffie-Hellman algos).

My question is: Is this the accepted way of doing it?

An alternative would be to pass in the kerberos OID to
gss_init_sec_context() as the mechanism. I did this by passing the krb5
OID string to gss_str_to_oid() and using the resulting token in the
gss_init_sec_context() call.

My GSS-API mech file is dated 2004 so I'm assuming it was copied off the
install CD and never touched since. I don't want to assume that bad
things won't happen if I re-order the file :-)

thanks

rob