krb5_get_credentials()--Get Service Ticket

Syntax

 #include <krb5.h>

 krb5_error_code krb5_get_credentials(
     krb5_context     context,
     krb5_const krb5_flags    options,  
     krb5_ccache      ccache,
     krb5_creds *       in_cred,
     krb5_creds **      out_cred);

  Service Program Name: QSYS/QKRBGSS

  Default Public Authority: *USE

  Threadsafe: Yes

The krb5_get_credentials() function obtains a service ticket for the requested server. This routine is the normal way for an application to obtain a service ticket. If the service ticket is already in the credentials cache, the krb5_get_credentials() routine returns the cached ticket. Otherwise, the krb5_get_credentials() routine calls the krb5_get_cred_from_kdc() routine to obtain a service ticket from the Kerberos server.

The krb5_get_credentials() routine stores any tickets obtained during its processing in the credentials cache. This includes the requested service ticket, as well as any ticket-granting tickets required to obtain the service ticket.

Authorities

Object Referred to	Data Authority Required
Each directory in the path name preceding the credentials cache file	*X
Credentials cache file	*RW

Parameters

context (Input)

The Kerberos context.

options (Input)

The option flags as follows:

KRB5_GC_USER_USER (x'00000001')	Obtain a user-to-user ticket.
KRB5_GC_CACHED (x'00000002')	Do not obtain a service ticket if one is not found in the credentials cache.

ccache (Input)

The credentials cache to be used. The initial ticket-granting ticket must already be in the cache.

in_cred (Input)

The request credentials. The client and server fields must be set to the desired values for the service ticket. The second_ticket field must be set if the service ticket is to be encrypted in a session key. The ticket expiration time can be set to override the default expiration time. The key encryption type can be set to override the default ticket encryption type.

out_cred (Output)

The service ticket. The krb5_free_creds() routine should be called to release the credentials when they are no longer needed.

Return Value

If no errors occur, the return value is 0. Otherwise, a Kerberos error code is returned.

Error Messages

Message ID	Error Message Text
CPE3418 E	Possible APAR condition or hardware failure.

Usage Notes

If KRB5_GC_CACHED is specified, the krb5_get_credentials() routine searches only the credentials cache for a service ticket.
If KRB5_GC_USER_USER is specified, the krb5_get_credentials() routine gets credentials for user-to-user authentication. In user-to-user authentication, the secret key for the server is the session key from the server's ticket-granting ticket. The ticket-granting ticket is passed from the server to the client over the network. (This is safe since the ticket-granting ticket is encrypted in a key known only by the Kerberos server.) The client must then pass this ticket-granting ticket to krb5_get_credentials() as the second ticket in the request credentials. The Kerberos server uses this ticket-granting ticket to construct a user-to-user ticket that can be verified by the server using the session key from its ticket-granting ticket.

API introduced: V5R1

[ Back to top | Security APIs | UNIX-Type APIs | APIs by category ]