There's not currently a good solution for gss_userok. What a lot of people do is either have their own ACL system, or convert the name to a krb5 principal and call krb5_userok.