Note: This is a beta release of Red Hat Bugzilla 5.0. The data contained within is a snapshot of the live data so any changes you make will not be reflected in the production Bugzilla. Also email is disabled so feel free to test any aspect of the site that you want. File any problems you find or give feedback here.
Bug 161826 - php-imap fails to connect to cyrus imap server
Summary: php-imap fails to connect to cyrus imap server
Alias: None
Product: Red Hat Enterprise Linux 4
Classification: Red Hat
Component: php
Version: 4.0
Hardware: i686
OS: Linux
Target Milestone: ---
: ---
Assignee: Joe Orton
QA Contact: David Lawrence
Depends On:
TreeView+ depends on / blocked
Reported: 2005-06-27 16:18 UTC by ed2019
Modified: 2018-10-20 00:21 UTC (History)
5 users (show)

Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Clone Of:
Last Closed: 2008-12-10 17:55:16 UTC
Target Upstream Version:

Attachments (Terms of Use)

Description ed2019 2005-06-27 16:18:52 UTC
From Bugzilla Helper:
User-Agent: Mozilla/5.0 (X11; U; Linux i686; en-US; rv:1.7.8) Gecko/20050517 Firefox/1.0.4 (Debian package 1.0.4-2)

Description of problem:
When attempting to connect to a Cyrus IMAP server, which has GSSAPI enabled, php imap fails with the following error messages:

PHP Notice:  (null)(): GSSAPI failure: Credentials cache permissions incorrect (errflg=1) in Unknown on line 0
PHP Notice:  (null)(): Can not authenticate to IMAP server: Client canceled authentication (errflg=2) in Unknown on line 0

This has been noticed by others as the c-client library (which underlies php-imap) trying to use GSSAPI in an impossible situation.
Potential fixes might include:
     imap_open having a switch or option which would signal c-client not to use GSSAPI
     c-client itself not trying to use gssapi when it won't work, or trying to use other methods (such as PLAIN) when it fails.

Version-Release number of selected component (if applicable):

How reproducible:

Steps to Reproduce:
1. PHP: $mbox = imap_open("{cyrusserver:993/imap/ssl/novalidate-cert/norsh}INBOX", "user", "pw");
2. Where cyrusserver is the remote cyrus imap server
3. observe the GSSAPI errors in the httpd/error_log

Actual Results:  imap_open fails, errors observed in the httpd/error_log .

Expected Results:  imap_open succeeds , no errors.

Additional info:

Comment 1 Joe Orton 2005-06-29 11:07:48 UTC
Thanks for the report and analysis.

Doing this as another mailbox flag would perhaps make sense.

From reading the code it looks like c-client *should* be trying the different
authentication methods if one fails, though.  Can you get a network trace of an
IMAP connection which fails like this (e.g. with ethereal) to demonstrate the
failure mode?

Comment 2 ed2019 2005-06-29 12:59:42 UTC
I don't think that such a network trace would be very useful, since we're doing
TLS.  I'm not able to disable TLS because the mail servers are in production.

Comment 3 ed2019 2005-06-29 13:07:59 UTC
I have opened a bug with PHP, #33500 , and also started a discussion on the
imap-uw mailing list, with the author of the c-client library, for references.

Comment 4 Joe Orton 2005-06-29 13:53:42 UTC
Actually it looks like the GSSAPI auth client code in c-client is written to
explicitly prevent retrying with a different mechanism;

The first thing auth_gssapi_client does:

  *trial = 65535;               /* never retry */

and hence the loop in imap4r1.c will never continue with a different authenticator.

Comment 6 RHEL Product and Program Management 2008-09-05 17:20:48 UTC
This request was evaluated by Red Hat Product Management for inclusion in a Red
Hat Enterprise Linux maintenance release.  Product Management has requested
further review of this request by Red Hat Engineering, for potential
inclusion in a Red Hat Enterprise Linux Update release for currently deployed
products.  This request is not yet committed for inclusion in an Update

Comment 8 RHEL Product and Program Management 2008-12-10 17:55:16 UTC
Development Management has reviewed and declined this request.  You may appeal
this decision by reopening this request.

Note You need to log in before you can comment on or make changes to this bug.