krb5_get_cred_from_kdc()--Get Service Ticket from Kerberos KDC Server

Syntax

 #include <krb5.h>

 krb5_error_code krb5_get_cred_from_kdc(  
     krb5_context     context,
     krb5_ccache      ccache,
     krb5_creds *     in_cred,
     krb5_creds **      out_cred,   
     krb5_creds ***     tgts);

  Service Program Name: QSYS/QKRBGSS

  Default Public Authority: *USE

  Threadsafe: Yes

The krb5_get_cred_from_kdc() function obtains a service ticket from the Kerberos Key Distribution Center (KDC) server. The credentials are not stored in the credentials cache. (The application should store them in the cache if appropriate.) The application should not call krb5_get_cred_from_kdc() if the requested service ticket is already in the credentials cache.

Authorities

Object Referred to	Data Authority Required
Each directory in the path name preceding the credentials cache file	*X
Credentials cache file	*RW

Parameters

context (Input): The Kerberos context.
ccache (Input): The credentials cache. The initial ticket-granting ticket for the local realm must already be in the cache. The Kerberos runtime obtains additional ticket-granting tickets as needed if the target server is not in the local realm.
in_cred (Input): The request credentials. The client and server fields must be set to the desired values for the service ticket. The second_ticket field must be set if the service ticket is to be encrypted in a session key. The ticket expiration time can be set to override the default expiration time.
out_cred (Output): The service ticket. The krb5_free_creds() routine should be called to release the credentials when they are no longer needed.
tgts (Output): Any new ticket-granting tickets that were obtained while getting the service target from the KDC in the target realm. There may be ticket-granting tickets returned for this parameter even if the Kerberos runtime ultimately was unable to obtain a service ticket from the target KDC. The krb5_free_tgt_creds() routine should be called to release the ticket-granting ticket array when it is no longer needed.

Return Value

If no errors occur, the return value is 0. Otherwise, a Kerberos error code is returned.

Error Messages

Message ID	Error Message Text
CPE3418 E	Possible APAR condition or hardware failure.

Usage Notes

The krb5_get_cred_from_kdc() routine obtains any necessary ticket-granting tickets for intermediate realms between the client realm and the server realm. It then calls the krb5_get_cred_via_tkt() routine to obtain the actual service ticket. The KDC options are the same as the ticket-granting ticket options. The KDC_OPT_ENC_TKT_IN_SKEY (x'00000008') flag is set if the in_cred parameter provided a second ticket.

API introduced: V5R1

[ Back to top | Security APIs | UNIX-Type APIs | APIs by category ]