Cyrus IMAP GSSAPI for multiple AD domains
Dan White
dwhite at olp.net
Sat Jul 3 13:18:11 EDT 2010
On 03/07/10 23:51 +0800, John Mok wrote:
>Hi,
>
>I have successfully setup Cyrus IMAP 2.2.12 with GSSAPI / Kerberos as
>authentication for an AD domain "grt.citizen.co.jp", which is the
>default domain in /etc/imapd.conf. However, when I tried to add another
>AD domain "pvd.citizen.co.jp" other the default domain. The AD users in
>the latter domain, i.e. "pvd.citizen.co.jp", failed to authenticate from
>the e-mail client (e.g. Thunderbird).
>
>The error message on the server log :-
>
>Jul 2 17:56:39 imapsv01 cyrus/imaps[3777]: GSSAPI Error: Miscellaneous
>failure (Wrong principal in request)
The "Wrong principal in request" should be a message returned by your
installed kerberos libraries. A google search for that phrase found some
good links for trouble shooting.
>I checked with imtest and it passed successfully :-
>
> >imtest -m GSSAPI imapsv01.grt.citizen.co.jp
Is that from the same machine/user running thunderbird?
I've found wireshark to be invaluable in trouble shooting GSSAPI ticket
exchange problems. Of course, you'll want to use a non imaps connection for
the capture.
>The IMAP config. /etc/imapd.conf follows :-
>
>....
>altnamespace: yes
>sasl_mech_list: gssapi pam
'pam' is not a valid mech, although that's not contributing to your gssapi
problem.
>loginrealms: pvd.citizen.co.jp
>virtdomains: yes
>defaultdomain: grt.citizen.co.jp
>sasl_pwcheck_method: saslauthd
>....
--
Dan White
More information about the Info-cyrus
mailing list