Authenticating (with cyradm) using an alternate Kerberos instance?

[Lars Kellogg-Stedman]

I'm running Cyrus imapd in a Kerberos environment.

When using cyradm, I would like to authenticate with a /admin
instance, rather than giving my primary instance admin privileges or
always connecting as the 'cyrus' user.  I haven't had much luck so
far, and I think it's because I'm not clear on how Cyrus/SASL
interacts with Kerberos and LDAP.

I've authenticated to Kerberos as lars/admin at EXAMPLE.COM:

  Credentials cache: FILE:/tmp/krb5cc_20000_u20528
        Principal: lars/admin at EXAMPLE.COM

  Issued           Expires          Principal
  Nov  6 22:50:33  Nov  7 08:50:33  krbtgt/EXAMPLE.COM at EXAMPLE.COM

I've added lars/admin as an admin user in /etc/imapd.conf (and set
defaultdomain to example.com), like this:

  admins: cyrus lars/admin
  defaultdomain: example.com

We're running 'saslauthd -a ldap'.  There is a matching record in LDAP
(uid: lars/admin) that will be matched by the filter in
saslauthd.conf:

  ldap_filter: (|(mailLocalAddress=%u@%d)(&(!(mailLocalAddress=*))(uid=%u)))

If I try to connect with cyradm, I get an error:

  $ cyradm mail.example.com
  cyradm: cannot authenticate to server with  as lars

And the IMAP server says:

  badlogin: mail.example.com [192.168.1.20] GSSAPI [SASL(-13):
  authentication failure: bad userid authenticated]

I get the same behavior if I try:

  $ cyradm --user=lars/admin mail.example.com

I should probably mention that:

(a) authenticating as my primary instance (lars at EXAMPLE.COM) works
just fine (and if I set myself up as an admin user I get admin
privileges), and

(b) If I obtain the 'cyrus at EXAMPLE.COM' principal, everything works as expected.

(c) authenticating to, say, our LDAP server as lars/admin does the
right thing, although that's largely due to the magic of OpenLDAP's
sasl-regexp commands.

What am I missing?  Thanks!

-- Lars