On 03/07/10 23:51 +0800, John Mok wrote: >Hi, > >I have successfully setup Cyrus IMAP 2.2.12 with GSSAPI / Kerberos as >authentication for an AD domain "grt.citizen.co.jp", which is the >default domain in /etc/imapd.conf. However, when I tried to add another >AD domain "pvd.citizen.co.jp" other the default domain. The AD users in >the latter domain, i.e. "pvd.citizen.co.jp", failed to authenticate from >the e-mail client (e.g. Thunderbird). > >The error message on the server log :- > >Jul 2 17:56:39 imapsv01 cyrus/imaps[3777]: GSSAPI Error: Miscellaneous >failure (Wrong principal in request) The "Wrong principal in request" should be a message returned by your installed kerberos libraries. A google search for that phrase found some good links for trouble shooting. >I checked with imtest and it passed successfully :- > > >imtest -m GSSAPI imapsv01.grt.citizen.co.jp Is that from the same machine/user running thunderbird? I've found wireshark to be invaluable in trouble shooting GSSAPI ticket exchange problems. Of course, you'll want to use a non imaps connection for the capture. >The IMAP config. /etc/imapd.conf follows :- > >.... >altnamespace: yes >sasl_mech_list: gssapi pam 'pam' is not a valid mech, although that's not contributing to your gssapi problem. >loginrealms: pvd.citizen.co.jp >virtdomains: yes >defaultdomain: grt.citizen.co.jp >sasl_pwcheck_method: saslauthd >.... -- Dan White ---- Cyrus Home Page: http://cyrusimap.web.cmu.edu/ Cyrus Wiki/FAQ: http://cyrusimap.web.cmu.edu/twiki List Archives/Info: http://asg.web.cmu.edu/cyrus/mailing-list.html
