If you acquire a claimant credential with one mech type (say, krb5) and then gss_init_sec_context with another mech type (say, SPNEGO), RFC 2743 implies that you should get back GSS_S_BAD_MECH. What actually happens is that we proceed with default credentials for the named mechanism.