Cyrus IMAP GSSAPI for multiple AD domains

Dan White dwhite at
Sat Jul 3 13:18:11 EDT 2010

On 03/07/10 23:51 +0800, John Mok wrote:
>I have successfully setup Cyrus IMAP 2.2.12 with GSSAPI / Kerberos  as 
>authentication for an AD domain "", which is the 
>default domain in /etc/imapd.conf. However, when I tried to add another 
>AD domain "" other the default domain. The AD users in 
>the latter domain, i.e. "", failed to authenticate from 
>the e-mail client (e.g. Thunderbird).
>The error message on the server log :-
>Jul  2 17:56:39 imapsv01 cyrus/imaps[3777]: GSSAPI Error: Miscellaneous 
>failure (Wrong principal in request)

The "Wrong principal in request" should be a message returned by your
installed kerberos libraries. A google search for that phrase found some
good links for trouble shooting.

>I checked with imtest and it passed successfully :-
> >imtest -m GSSAPI

Is that from the same machine/user running thunderbird?

I've found wireshark to be invaluable in trouble shooting GSSAPI ticket
exchange problems. Of course, you'll want to use a non imaps connection for
the capture.

>The IMAP config. /etc/imapd.conf follows :-
>altnamespace: yes
>sasl_mech_list: gssapi pam

'pam' is not a valid mech, although that's not contributing to your gssapi

>virtdomains: yes
>sasl_pwcheck_method: saslauthd

Dan White

More information about the Info-cyrus mailing list