failure: prot layer failure (on second GSSAPI connect)

Sat Aug 11 07:03:08 EDT 2007

Hi all:

Just for reference, the problem we're seeing is documented here:

http://bugs.donarmstrong.com/cgi-bin/bugreport.cgi?bug=402164

I am getting around this by having any imapd child spawned service a
single request -- not the best solution, but works.

-mustafa

On 8/9/07, Mustafa A. Hashmi <mahashmi at gmail.com> wrote:
> Hello all:
>
> I am noticing the following while implementing cyrus on our systems
> when working with GSSAPI authentication.
>
> Firstly:
> OS: Debian Etch (4.0)
> Cyrus Version: 2.2.13
>
> Please note: Cyrus is configured to work with both plain and well as
> gssapi authentication.
>
> Please find log below:
>
> --- Authentication via GSSAPI ---
> samwise:/# imtest -m GSSAPI samwise.emergen.biz
> S: * OK samwise.emergen.biz Cyrus IMAP4 v2.2.13-Debian-2.2.13-10 server ready
> C: C01 CAPABILITY
> S: * CAPABILITY IMAP4 IMAP4rev1 ACL QUOTA LITERAL+ MAILBOX-REFERRALS
> NAMESPACE UIDPLUS ID NO_ATOMIC_RENAME UNSELECT CHILDREN MULTIAPPEND
> BINARY SORT THREAD=ORDEREDSUBJECT THREAD=REFERENCES ANNOTATEMORE IDLE
> STARTTLS AUTH=GSSAPI SASL-IR
> S: C01 OK Completed
> C: A01 AUTHENTICATE GSSAPI
> YIICLwYJKoZIhvcSAQICAQBuggIeMIICGqADAgEFoQMCAQ6iBwMFACAAAACjggEwYYIBLDCCASigAwIBBaENGwtFTUVSR0VOLkJJWqImMCSgAwIBAaEdMBsbBGltYXAbE3NhbXdpc2UuZW1lcmdlbi5iaXqjgekwgeagAwIBEqEDAgEBooHZBIHWFBPASC9qYi5QNy0DsDNZTHHyQFsthtgg6Dk8WKxRy5hjF7SypRegc9LabEUESFm8VRBBG8N9Odsu2J+ZbbBIRZI21sH4xwN8YuY19o5UhORAh/jqu4YlVB2lOQ7zsHfdf4fVHmMFPG3NU/sz2buNcxSRcT3sjXH3OfoBomuQ+rMmTBc/t1Kzh6dNgNMcKRA47bYe0thdRzqhfYkrqd6b3FYlSKtxbgA8rEK/lTPX1VPj6Z1ukqrTNpzSxzIMbrbWElGCO24lPplMBNo1dQPp3dEwtFDnJqSB0DCBzaADAgESooHFBIHCJ4JlwjWjQHJtuXb61DMCbuPWWfEtoIDN4dTyhyfAPA9re4scBB75+gpzERcGLwMW4dtZN1wNxMJfddsjkmhyfFHotcsq3mwujDotKbMEOwM07AkJ66W+I6Y7jc5cMslq2WsUhjfHcMKyWk0cpIPRiiP8MGLTrgfyNfldKT/0S/pLduuqmLP8+MaqWsh3bzZUU49TObSw27Bdk1bf1omduc+bvXVKHSHkdLW7h5Zp6+dbr5jVmxvjWuVCM25c5NQLCtw=
> S: + YIGZBgkqhkiG9xIBAgICAG+BiTCBhqADAgEFoQMCAQ+iejB4oAMCARKicQRvsXC9xdOfToafJ2pnaLm9PKEm8Kg3nvrA57rBxOOqPOTgamiFbQYdkgu1KIO5qU0pzszYCDTau6NKyHugt5/n4ACWF3LmPIODtGSbgo61D23CAhsDVUeUXDXTuigx9f/MO+3vbd6L0eRA8h5463un
> C:
> S: + BQQF/wAMAAAAAAAAJx6sewcAEABJrP3DM691T6WIuOw=
> C: BQQE/wAMAAAAAAAACv73jgQABAB0NwsarHU++17uNwo=
> S: A01 OK Success (privacy protection)
> Authenticated.
> Security strength factor: 56
> a logout
> * BYE LOGOUT received
> a OK Completed
> Connection closed.
>
> --- Log in mail.log upon authentication request: ---
> Aug  9 14:32:04 samwise cyrus/master[6957]: set maximum file
> descriptors to 256/256
> Aug  9 14:32:04 samwise cyrus/master[6957]: about to exec
> /usr/lib/cyrus/bin/imapd
> Aug  9 14:32:04 samwise cyrus/imap[6957]: executed
> Aug  9 14:32:04 samwise cyrus/imap[6957]: telling master 2
> Aug  9 14:32:04 samwise cyrus/imap[6957]: accepted connection
> Aug  9 14:32:04 samwise cyrus/imap[6957]: telling master 3
> Aug  9 14:32:04 samwise cyrus/master[6863]: service imap pid 6957 in
> READY state: now unavailable and in BUSY state
> Aug  9 14:32:04 samwise cyrus/master[6863]: service imap now has 0
> ready workers
> Aug  9 14:32:04 samwise cyrus/master[6863]: service imap pid 6957 in
> BUSY state: now serving connection
> Aug  9 14:32:04 samwise cyrus/master[6863]: service imap now has 0
> ready workers
> Aug  9 14:32:04 samwise cyrus/imap[6957]: login: samwise.emergen.biz
> [192.168.0.118] mhashmi GSSAPI User logged in
> Aug  9 14:32:07 samwise cyrus/imap[6957]: telling master 1
> Aug  9 14:32:07 samwise cyrus/master[6863]: service imap pid 6957 in
> BUSY state: now available and in READY state
> Aug  9 14:32:07 samwise cyrus/master[6863]: service imap now has 1 ready workers
>
> --- login again via the same command (3 seconds later) ---
> samwise:/# imtest -m GSSAPI samwise.emergen.biz
> S: * OK samwise.emergen.biz Cyrus IMAP4 v2.2.13-Debian-2.2.13-10 server ready
> C: C01 CAPABILITY
> S: * CAPABILITY IMAP4 IMAP4rev1 ACL QUOTA LITERAL+ MAILBOX-REFERRALS
> NAMESPACE UIDPLUS ID NO_ATOMIC_RENAME UNSELECT CHILDREN MULTIAPPEND
> BINARY SORT THREAD=ORDEREDSUBJECT THREAD=REFERENCES ANNOTATEMORE IDLE
> STARTTLS AUTH=GSSAPI SASL-IR
> S: C01 OK Completed
> C: A01 AUTHENTICATE GSSAPI
> YIICLwYJKoZIhvcSAQICAQBuggIeMIICGqADAgEFoQMCAQ6iBwMFACAAAACjggEwYYIBLDCCASigAwIBBaENGwtFTUVSR0VOLkJJWqImMCSgAwIBAaEdMBsbBGltYXAbE3NhbXdpc2UuZW1lcmdlbi5iaXqjgekwgeagAwIBEqEDAgEBooHZBIHWFBPASC9qYi5QNy0DsDNZTHHyQFsthtgg6Dk8WKxRy5hjF7SypRegc9LabEUESFm8VRBBG8N9Odsu2J+ZbbBIRZI21sH4xwN8YuY19o5UhORAh/jqu4YlVB2lOQ7zsHfdf4fVHmMFPG3NU/sz2buNcxSRcT3sjXH3OfoBomuQ+rMmTBc/t1Kzh6dNgNMcKRA47bYe0thdRzqhfYkrqd6b3FYlSKtxbgA8rEK/lTPX1VPj6Z1ukqrTNpzSxzIMbrbWElGCO24lPplMBNo1dQPp3dEwtFDnJqSB0DCBzaADAgESooHFBIHCRHfDuOYl5RG5LNP+ND/bt3JAqPGzysnZ++ZbcZlTXx5U8bmto45h9CFm+J5TYn9tYKolNwPJig+St6gNDTXHig5+zb9b3V9r6zPQlg+Gpy2qe0SqgtX7CIFgAvCgkvGQg9BpgrRr6NlA6V21gGyAmeSf1APPxXJDhrQ43JSeJ9Bp23lRGrkKY/E1Sjak7maG8JLgKCrL+5uu2pyrJeW/VnSufnS1qqewf3XGRvXaTIX+28sGANEnh1nhBtXT70C8K2s=
> failure: prot layer failure
>
> --- log in mail.log ---
> Aug  9 14:32:11 samwise cyrus/imap[6957]: telling master 2
> Aug  9 14:32:11 samwise cyrus/master[6863]: service imap pid 6957 in
> READY state: now unavailable and in BUSY state
> Aug  9 14:32:11 samwise cyrus/master[6863]: service imap now has 0
> ready workers
> Aug  9 14:32:11 samwise cyrus/imap[6957]: accepted connection
> Aug  9 14:32:11 samwise cyrus/imap[6957]: telling master 3
> Aug  9 14:32:11 samwise cyrus/master[6863]: service imap pid 6957 in
> BUSY state: now serving connection
> Aug  9 14:32:11 samwise cyrus/master[6863]: service imap now has 0
> ready workers
> Aug  9 14:32:11 samwise cyrus/master[6863]: process 6957 exited,
> signaled to death by 11
> Aug  9 14:32:11 samwise cyrus/master[6863]: service imap pid 6957 in
> BUSY state: terminated abnormally
> Aug  9 14:32:11 samwise cyrus/master[6863]: service imap now has 0 ready workers
> ----
>
> If I work via plain authentication, no problems are encountered.
>
> The same is observed when working with cyradm and GSSAPI
> authentication as opposed to PLAIN auth.
>
> If I can provide further information please do let me know. I
> appreciate any help.