How do I tell cyrus-imapd to *not* strip default realm from kerberos principals?

Lars Kellogg-Stedman lars at
Tue Nov 1 23:44:46 EST 2005

Hello again,

I'm using virtual domains on our Cyrus IMAP server, which means that
the user "lars" is distinct from "lars at".  I've just
started setting up kerberos (5) in this environment, and I've
discovered that the Cyrus IMAP server will strip the default realm
from a connecting principal before treating it as a username -- which
means that nobody can actually use kerberos.  If I'm authenticated as
"lars at EXAMPLE.COM", Cyrus imapd will authenticate me as the user
"lars", and if I try to SELECT INBOX, for example, I get a "no such

If I connect *without* kerberos and authenticate as lars at,
everything works just grand.

More details:

Given a kerberos environment like this:

  $ klist
  Credentials cache: FILE:/tmp/krb5cc_20000
  Principal: lars at EXAMPLE.COM

Connecting to the IMAP server like this:

  $ imtest
  S: A01 OK Success (privacy protection)
  Security strength factor: 56

The server says:

  mail.notice: Nov  1 23:34:53 imap[23997]: login: [] lars GSSAPI User logged in

-- Lars

More information about the Info-cyrus mailing list