sync_client fails with GSSAPI error 'unknown mech-code 0 for mech unknown'

Dan White dwhite at
Tue Jun 4 12:49:55 EDT 2013

On 06/04/13 16:29 +0100, Karl Pielorz wrote:
>I've got my two 2.4.17 servers 'tantalisingly' close to replicating - 
>I created a 'replication' user on both (using 'saslpasswd2').
>This user is allowed 'admin' access (in imapd.conf). Additionally on 
>the master I've set:
>sync_authname: replication-user
>sync_password: thepassword
>sync_compress: 1
>Running 'sync_client' on the Master though nets:
>% /usr/local/cyrus/bin/sync_client -v -u user.kpielorz
>Can not connect to server '', retrying in 15 seconds
>Syslog shows:
>Jun  4 16:13:15 sync_client[37354]: GSSAPI client step 1
>Jun  4 16:13:15 sync_client[37354]: GSSAPI Error:  An unsupported 
>mechanism was requested (unknown mech-code 0 for mech unknown)
>Jun  4 16:13:15 sync_client[37354]: couldn't authenticate to backend 
>server: generic failure

The 'unknown mech-code 0 for mech unknown' is likely being generated from
your kerberos shared libraries. Check your KDC server logs, and google for
that error message.

>The replica doesn't appear to log anything - we only use 'simple' 
>saslpasswd2 authentication on the servers (no LDAP / database 
>backend) - any suggestions on where to start looking to fix this?

Oh, so you don't really want to use gssapi?

On your sync server (replica), you can restrict which sasl mechanisms are

Assuming that you have named your sync server 'syncserver' in your
/etc/cyrus.conf, configure /etc/imapd.conf with:

syncserver_sasl_mech_list: digest-md5

>Additionally in cyrus.conf we only bind imap to - 
>imaps/pop3s are used for off-host connections (in case that's an 

Dan White

More information about the Cyrus-devel mailing list