This looks to be a Mail.app bug, but I thought it worth mentioning here since it's Kerberos-related.
I am using Kerberos with a Debian server on which is running the MIT KDC, Cyrus, imapd, and sendmail. I have been using Kerberos authentication with Mail.app in this environment for some time, under Tiger. I just upgraded to Leopard, and it no longer works. The problem is simple: the Mail.app IMAP conversation goes like this: OK sequoia Cyrus IMAP4 v2.1.18-IPv6-Debian-2.1.18-5.1 server ready 1.11 CAPABILITY * CAPABILITY IMAP4 IMAP4rev1 ACL QUOTA LITERAL+ MAILBOX-REFERRALS NAMESPACE UIDP LUS ID NO_ATOMIC_RENAME UNSELECT CHILDREN MULTIAPPEND SORT THREAD=ORDEREDSUBJECT THREAD=REFERENCES IDLE STARTTLS AUTH=GSSAPI AUTH=CRAM-MD5 AUTH=DIGEST-MD5 AUTH=NTLM ANNOTATEMORE 1.11 OK Completed 2.11 AUTHENTICATE GSSAPI + 2.11 NO authentication failure Mail.app simply sends an empty gssapi message. This problem does not appear to be in the Kerberos libraries or endemic to Apple's apps in general, since Kerberos authentication still works in both SSH and WebDAV. This appears to be a Mail.app bug. I have also noticed that both klist and Kerberos.app omit realm names from service ticket principals, e.g.: Kerberos 5 ticket cache: 'API:Initial default ccache' Default principal: [EMAIL PROTECTED] Valid Starting Expires Service Principal 01/13/08 16:35:37 01/14/08 02:35:37 krbtgt/[EMAIL PROTECTED] renew until 01/20/08 16:35:37 01/13/08 16:36:15 01/14/08 02:35:37 imap/sequoia.oankali.net@ renew until 01/20/08 16:35:37 01/13/08 16:45:38 01/14/08 02:35:37 host/sequoia.oankali.net@ renew until 01/20/08 16:35:37 01/13/08 16:52:37 01/14/08 02:35:37 HTTP/sequoia.oankali.net@ renew until 01/20/08 16:35:37 Seem unrelated, but I thought I'd mention it anyway. - Richard Silverman [EMAIL PROTECTED] ________________________________________________ Kerberos mailing list Kerberos@mit.edu https://mailman.mit.edu/mailman/listinfo/kerberos