Bug 161826 - php-imap fails to connect to cyrus imap server
php-imap fails to connect to cyrus imap server
Status: CLOSED WONTFIX
Product: Red Hat Enterprise Linux 4
Classification: Red Hat
Component: php (Show other bugs)
4.0
i686 Linux
medium Severity medium
: ---
: ---
Assigned To: Joe Orton
David Lawrence
:
Depends On:
Blocks:
  Show dependency treegraph
 
Reported: 2005-06-27 12:18 EDT by ed2019
Modified: 2010-10-21 23:06 EDT (History)
5 users (show)

See Also:
Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
Environment:
Last Closed: 2008-12-10 12:55:16 EST
Type: ---
Regression: ---
Mount Type: ---
Documentation: ---
CRM:
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---


Attachments (Terms of Use)

  None (edit)
Description ed2019 2005-06-27 12:18:52 EDT
From Bugzilla Helper:
User-Agent: Mozilla/5.0 (X11; U; Linux i686; en-US; rv:1.7.8) Gecko/20050517 Firefox/1.0.4 (Debian package 1.0.4-2)

Description of problem:
When attempting to connect to a Cyrus IMAP server, which has GSSAPI enabled, php imap fails with the following error messages:

PHP Notice:  (null)(): GSSAPI failure: Credentials cache permissions incorrect (errflg=1) in Unknown on line 0
PHP Notice:  (null)(): Can not authenticate to IMAP server: Client canceled authentication (errflg=2) in Unknown on line 0

This has been noticed by others as the c-client library (which underlies php-imap) trying to use GSSAPI in an impossible situation.
Potential fixes might include:
     imap_open having a switch or option which would signal c-client not to use GSSAPI
     c-client itself not trying to use gssapi when it won't work, or trying to use other methods (such as PLAIN) when it fails.

Version-Release number of selected component (if applicable):
php-imap-4.3.9-3.6

How reproducible:
Always

Steps to Reproduce:
1. PHP: $mbox = imap_open("{cyrusserver:993/imap/ssl/novalidate-cert/norsh}INBOX", "user", "pw");
2. Where cyrusserver is the remote cyrus imap server
3. observe the GSSAPI errors in the httpd/error_log
  

Actual Results:  imap_open fails, errors observed in the httpd/error_log .

Expected Results:  imap_open succeeds , no errors.

Additional info:
Comment 1 Joe Orton 2005-06-29 07:07:48 EDT
Thanks for the report and analysis.

Doing this as another mailbox flag would perhaps make sense.

From reading the code it looks like c-client *should* be trying the different
authentication methods if one fails, though.  Can you get a network trace of an
IMAP connection which fails like this (e.g. with ethereal) to demonstrate the
failure mode?
Comment 2 ed2019 2005-06-29 08:59:42 EDT
I don't think that such a network trace would be very useful, since we're doing
TLS.  I'm not able to disable TLS because the mail servers are in production.
Comment 3 ed2019 2005-06-29 09:07:59 EDT
I have opened a bug with PHP, #33500 , and also started a discussion on the
imap-uw mailing list, with the author of the c-client library, for references.

http://mailman1.u.washington.edu/pipermail/imap-uw/2005-June/000091.html 
http://bugs.php.net/bug.php?id=33500
Comment 4 Joe Orton 2005-06-29 09:53:42 EDT
Actually it looks like the GSSAPI auth client code in c-client is written to
explicitly prevent retrying with a different mechanism;

The first thing auth_gssapi_client does:

  *trial = 65535;               /* never retry */

and hence the loop in imap4r1.c will never continue with a different authenticator.
Comment 6 RHEL Product and Program Management 2008-09-05 13:20:48 EDT
This request was evaluated by Red Hat Product Management for inclusion in a Red
Hat Enterprise Linux maintenance release.  Product Management has requested
further review of this request by Red Hat Engineering, for potential
inclusion in a Red Hat Enterprise Linux Update release for currently deployed
products.  This request is not yet committed for inclusion in an Update
release.
Comment 8 RHEL Product and Program Management 2008-12-10 12:55:16 EST
Development Management has reviewed and declined this request.  You may appeal
this decision by reopening this request.

Note You need to log in before you can comment on or make changes to this bug.