The krb5_get_cred_from_kdc() function obtains a service
ticket from the Kerberos Key Distribution Center (KDC) server. The credentials
are not stored in the credentials cache. (The application should store them in
the cache if appropriate.) The application should not call
krb5_get_cred_from_kdc() if the requested service ticket is
already in the credentials cache.
Authorities
Object Referred to
Data Authority Required
Each directory in the path name preceding the
credentials cache file
*X
Credentials cache file
*RW
Parameters
context (Input)
The Kerberos context.
ccache (Input)
The credentials cache. The initial ticket-granting ticket for the local
realm must already be in the cache. The Kerberos runtime obtains additional
ticket-granting tickets as needed if the target server is not in the local
realm.
in_cred (Input)
The request credentials. The client and server fields
must be set to the desired values for the service ticket. The
second_ticket field must be set if the service ticket is to be
encrypted in a session key. The ticket expiration time can be set to override
the default expiration time.
out_cred (Output)
The service ticket. The krb5_free_creds() routine should
be called to release the credentials when they are no longer needed.
tgts (Output)
Any new ticket-granting tickets that were obtained while getting the
service target from the KDC in the target realm. There may be ticket-granting
tickets returned for this parameter even if the Kerberos runtime ultimately was
unable to obtain a service ticket from the target KDC. The
krb5_free_tgt_creds() routine should be called to release the
ticket-granting ticket array when it is no longer needed.
Return Value
If no errors occur, the return value is 0. Otherwise, a Kerberos error code
is returned.
Error Messages
Message ID
Error Message Text
CPE3418 E
Possible APAR condition or hardware failure.
Usage Notes
The krb5_get_cred_from_kdc() routine obtains any necessary
ticket-granting tickets for intermediate realms between the client realm and
the server realm. It then calls the krb5_get_cred_via_tkt()
routine to obtain the actual service ticket. The KDC options are the same as
the ticket-granting ticket options. The
KDC_OPT_ENC_TKT_IN_SKEY (x'00000008') flag is set if the
in_cred parameter provided a second ticket.