On Fri, Sep 06, 2013 at 11:30:16PM -0700, Stephen Ingram wrote: > I would change auth_mech to krb5. I'm not sure what distro you are using, > but you also need to export environment variables KRB5_KTNAME and > KRB5CCNAME. I do not include the sasl_keytab or sasl_allow_plaintext > settings in my config either, but I do have allowplaintext: no. I do allow > plain text auth too, but only over TLS or SSL encrypted link. Found the issue. There was a mismatch between servername and the real name. Heimdal canonicalizes so it was changing the requested principal from the keytab. It was looking for the wrong principal in the keytab, in short... I was hoping there was some log option to make it say 'now I'm looking for this principal in the keytab' but I haven't found any I think that auth_mech is for plaintext authentication (i.e. not SASL) to validate passwords. -- Lorenzo Marcantonio Logos Srl ---- Cyrus Home Page: http://www.cyrusimap.org/ List Archives/Info: http://lists.andrew.cmu.edu/pipermail/info-cyrus/ To Unsubscribe: https://lists.andrew.cmu.edu/mailman/listinfo/info-cyrus
