sync_client fails with GSSAPI error 'unknown mech-code 0 for mech unknown'

Dan White dwhite at
Wed Jun 5 10:09:09 EDT 2013

On 06/05/13 10:13 +0100, Karl Pielorz wrote:
>--On 04 June 2013 11:49 -0500 Dan White <dwhite at> wrote:
>>>The replica doesn't appear to log anything - we only use 'simple'
>>>saslpasswd2 authentication on the servers (no LDAP / database
>>>backend) - any suggestions on where to start looking to fix this?
>>Oh, so you don't really want to use gssapi?
>We've never used it before - we just setup accounts with 'saslpasswd2 
>-c' - no kerberos, ldap or anything.
>>On your sync server (replica), you can restrict which sasl mechanisms are
>>Assuming that you have named your sync server 'syncserver' in your
>>/etc/cyrus.conf, configure /etc/imapd.conf with:
>I have to 'name' my sync server, in cyrus.conf? - how?
>In the end I resolved this by simply making sure 'sasl_mech_list' 
>only listed what we use...

You can configure sasl_mech_list per service.

Within your /etc/cyrus.conf, you may have something like:

     imap             cmd="imapd -U 30 -D" listen="imap" prefork=0
     pop3             cmd="pop3d -U 30" listen="pop3" prefork=0
     syncserver       cmd="/usr/lib/cyrus/bin/sync_server" listen="csync"

within your services section. 'imap', 'pop3', and 'syncserver' are the
names of the services, which can be referenced within /etc/imapd.conf
like this:

syncserver_sasl_mech_list: digest-md5

On the next spawn of that service, libsasl2 will only initialize the
specified mechanisms.

Dan White

More information about the Cyrus-devel mailing list