Problem with cyradm and krb5 */admin principals

From: Ben Poliakoff (no email)
Date: Wed Mar 26 2003 - 14:47:34 EST

We make use of SASL/GSSAPI authentication with our cyrus installation.

The man page for imapd.conf says that the "admins:" field may contain a
kerberos admin principal, enabling that admin principal to, well
administer the cyrus installation.

I can't get that to work with cyradm. I've tried repeatedly over the
last two years.

If I add "benp/admin" to the "admins:" line in imapd.conf and then try
to connect to the imap server (while having a tgt for benp/admin),
cyradm fails with this error:

    cyradm: cannot authenticate to server with as benp

And imapd logs this:

    Mar 26 11:36:02 xxxxx imapd[14556]: bad userid authenticated
    Mar 26 11:36:02 xxxxx imapd[14556]: badlogin:[] GSSAPI [SASL(-13): authentication failure: bad userid authenticated]

My lame solution has been to use a dedicated "regular" (no / in the
name) principal. But if possible it sure would be great to be able to
reuse our */admin principals.

I'm currently using cyrus-imapd-2.1.12.

I've wondered if this is a problem with / characters and have tried a
lot of \ escaping and single tick quoting, to no avail.

What am I missing?

Anyone out there using */admin principals with cyradm?


Ben Poliakoff                                       email: <>
Reed College                                          tel:  (503)-788-6674
Unix System Administrator      PGP key:
0x6AF52019 fingerprint = A131 F813 7A0F C5B7 E74D  C972 9118 A94D 6AF5 2019

Hosted Email Solutions

Invaluement Anti-Spam DNSBLs

Powered By FreeBSD   Powered By FreeBSD