An spnego credential is itself a union credential, so search through it
when we're looking for credentials of a mechanism which may already have
been wrapped by spnego.  RT #5807.

Index: src/lib/gssapi/mechglue/g_glue.c
===================================================================
--- src/lib/gssapi/mechglue/g_glue.c	(revision 20093)
+++ src/lib/gssapi/mechglue/g_glue.c	(working copy)
@@ -33,6 +33,8 @@
 #define	MSO_BIT (8*(sizeof (int) - 1))  /* Most significant octet bit */
 
 extern gss_mechanism *gssint_mechs_array;
+#define SPNEGO_OID_LENGTH 6
+#define SPNEGO_OID "\053\006\001\005\005\002"
 
 /*
  * This file contains the support routines for the glue layer.
@@ -548,6 +550,8 @@
     gss_OID		mech_type;
 {
     int		i;
+    gss_union_cred_t	spnego_cred;
+    gss_cred_id_t	mech_cred;
     
     if (union_cred == GSS_C_NO_CREDENTIAL)
 	return GSS_C_NO_CREDENTIAL;
@@ -555,6 +559,17 @@
     for (i=0; i < union_cred->count; i++) {
 	if (g_OID_equal(mech_type, &union_cred->mechs_array[i]))
 	    return union_cred->cred_array[i];
+
+	/* if this is an spnego credential, search its contents */
+	if ((union_cred->mechs_array[i].length == SPNEGO_OID_LENGTH) &&
+	    (memcmp(union_cred->mechs_array[i].elements,
+		    SPNEGO_OID,
+		    SPNEGO_OID_LENGTH) == 0)) {
+	    spnego_cred = union_cred->cred_array[i];
+	    mech_cred = gssint_get_mechanism_cred(spnego_cred, mech_type);
+	    if (mech_cred != GSS_C_NO_CREDENTIAL)
+		return mech_cred;
+	}
     }
     return GSS_C_NO_CREDENTIAL;
 }