PROXY tickets and GSSAPI

[Wyllys Ingersoll]

I have a scenario where I would like to have a GSSAPI-based server
receive creds from a client and then act as a "proxy" by assuming the
clients identity (the initial client sent delegated creds with the 
PROXIABLE flags set)
to access a third service.

However, this does not seem possible given the current GSSAPI without
breaking the GSS abstraction layer in the intermediate server and 
directly manipulating
the Kerberos creds.   Has anyone done something similar or know if it would
be possible without alot of ugly hacks that break the barrier between 
GSSAPI and KRB5 ?

-Wyllys Ingersoll