From Bugzilla Helper: User-Agent: Mozilla/5.0 (X11; U; Linux i686; en-US; rv:1.7.8) Gecko/20050517 Firefox/1.0.4 (Debian package 1.0.4-2) Description of problem: When attempting to connect to a Cyrus IMAP server, which has GSSAPI enabled, php imap fails with the following error messages: PHP Notice: (null)(): GSSAPI failure: Credentials cache permissions incorrect (errflg=1) in Unknown on line 0 PHP Notice: (null)(): Can not authenticate to IMAP server: Client canceled authentication (errflg=2) in Unknown on line 0 This has been noticed by others as the c-client library (which underlies php-imap) trying to use GSSAPI in an impossible situation. Potential fixes might include: imap_open having a switch or option which would signal c-client not to use GSSAPI c-client itself not trying to use gssapi when it won't work, or trying to use other methods (such as PLAIN) when it fails. Version-Release number of selected component (if applicable): php-imap-4.3.9-3.6 How reproducible: Always Steps to Reproduce: 1. PHP: $mbox = imap_open("{cyrusserver:993/imap/ssl/novalidate-cert/norsh}INBOX", "user", "pw"); 2. Where cyrusserver is the remote cyrus imap server 3. observe the GSSAPI errors in the httpd/error_log Actual Results: imap_open fails, errors observed in the httpd/error_log . Expected Results: imap_open succeeds , no errors. Additional info:
Thanks for the report and analysis. Doing this as another mailbox flag would perhaps make sense. From reading the code it looks like c-client *should* be trying the different authentication methods if one fails, though. Can you get a network trace of an IMAP connection which fails like this (e.g. with ethereal) to demonstrate the failure mode?
I don't think that such a network trace would be very useful, since we're doing TLS. I'm not able to disable TLS because the mail servers are in production.
I have opened a bug with PHP, #33500 , and also started a discussion on the imap-uw mailing list, with the author of the c-client library, for references. http://mailman1.u.washington.edu/pipermail/imap-uw/2005-June/000091.html http://bugs.php.net/bug.php?id=33500
Actually it looks like the GSSAPI auth client code in c-client is written to explicitly prevent retrying with a different mechanism; The first thing auth_gssapi_client does: *trial = 65535; /* never retry */ and hence the loop in imap4r1.c will never continue with a different authenticator.
This request was evaluated by Red Hat Product Management for inclusion in a Red Hat Enterprise Linux maintenance release. Product Management has requested further review of this request by Red Hat Engineering, for potential inclusion in a Red Hat Enterprise Linux Update release for currently deployed products. This request is not yet committed for inclusion in an Update release.
Development Management has reviewed and declined this request. You may appeal this decision by reopening this request.