krb5_sname_to_principal or LDAP/SASL/GSSAPI and reverse DNS

[Matt Crawford]

> SSH w/ gssapi forwarding does not work... On the server side, it
> complains about misc failure, wrong principal in request, got no
> client creds, then closes the connection.

It's tough to write a GSS service in a way that will accept whatever
valid service name the client may call it by.  The straightforward
approach chooses the service's name before getting any token from the
client.