sync_client fails with GSSAPI error 'unknown mech-code 0 for mech unknown'
Dan White
dwhite at olp.net
Tue Jun 4 12:49:55 EDT 2013
On 06/04/13 16:29 +0100, Karl Pielorz wrote:
>
>Hi,
>
>I've got my two 2.4.17 servers 'tantalisingly' close to replicating -
>I created a 'replication' user on both (using 'saslpasswd2').
>
>This user is allowed 'admin' access (in imapd.conf). Additionally on
>the master I've set:
>
>"
>sync_host: my-replica-server.com
>sync_authname: replication-user
>sync_password: thepassword
>sync_compress: 1
>"
>
>Running 'sync_client' on the Master though nets:
>
>"
>% /usr/local/cyrus/bin/sync_client -v -u user.kpielorz
>Can not connect to server 'my-replica-server.com', retrying in 15 seconds
>"
>
>Syslog shows:
>
>"
>Jun 4 16:13:15 sync_client[37354]: GSSAPI client step 1
>Jun 4 16:13:15 sync_client[37354]: GSSAPI Error: An unsupported
>mechanism was requested (unknown mech-code 0 for mech unknown)
>Jun 4 16:13:15 sync_client[37354]: couldn't authenticate to backend
>server: generic failure
>"
The 'unknown mech-code 0 for mech unknown' is likely being generated from
your kerberos shared libraries. Check your KDC server logs, and google for
that error message.
>The replica doesn't appear to log anything - we only use 'simple'
>saslpasswd2 authentication on the servers (no LDAP / database
>backend) - any suggestions on where to start looking to fix this?
Oh, so you don't really want to use gssapi?
On your sync server (replica), you can restrict which sasl mechanisms are
offered.
Assuming that you have named your sync server 'syncserver' in your
/etc/cyrus.conf, configure /etc/imapd.conf with:
syncserver_sasl_mech_list: digest-md5
>Additionally in cyrus.conf we only bind imap to 127.0.0.1 -
>imaps/pop3s are used for off-host connections (in case that's an
>issue?)
--
Dan White
More information about the Cyrus-devel
mailing list