#include <krb5.h> krb5_error_code krb5_get_in_tkt_with_keytab( krb5_context context, krb5_const krb5_flags options, krb5_address * krb5_const * addrs, krb5_enctype * enctype, krb5_preauthtype * pre_auth_types, krb5_const krb5_keytab keytab, krb5_ccache ccache, krb5_creds * creds, krb5_kdc_rep ** ret_as_reply);Service Program Name: QSYS/QKRBGSS
The krb5_get_in_tkt_with_keytab() function obtains an initial ticket-granting ticket from the Kerberos Key Distribution Center (KDC) server using a key table. This initial ticket can then be used to obtain service tickets. The client must be in the same realm as the KDC to be able to obtain an initial ticket from the KDC. The initial ticket can be used to obtain tickets in the same realm or in different realms as long as the proper inter-realm trust relationships have been established.
Object Referred to | Data Authority Required |
---|---|
Each directory in the path name preceding the key table file, if key parameter is NULL | *X |
Key table file, if key parameter is NULL | *R |
Each directory in the path name preceding the credentials cache file | *X |
Credentials cache file | *RW |
KDC_OPT_FORWARDABLE (x'40000000') | Obtain a forwardable ticket. |
KDC_OPT_PROXIABLE (x'10000000') | Obtain a proxiable ticket. |
KDC_OPT_ALLOW_POSTDATE (x'04000000') | Allow postdated tickets. |
KDC_OPT_RENEWABLE (x'00800000') | Obtain a renewable ticket. The renew_till time must be set in the request. |
KDC_OPT_RENEWABLE_OK (x'00000010') | A renewable ticket is acceptable if the KDC policy does not allow a ticket to be generated with the requested endtime. |
ENCTYPE_DES_CBC_CRC (x'00000001') | 32-bit CRC checksum with DES encryption. This encryption type should be used for interoperability with older levels of Kerberos Version 5. |
ENCTYPE_DES_CBC_MD5 (x'00000003') | MD5 checksum with DES encryption. |
KRB5_PADATA_ENC_TIMESTAMP (x'00000002') | Encrypted timestamp preauthentication. |
Upon completion of the request, creds are updated with the initial ticket, the session key, and the client address list. The krb5_free_cred_contents() or krb5_free_creds() routine should be called to release the credentials when they are no longer needed.
If no errors occur, the return value is 0. Otherwise, a Kerberos error code is returned.
Message ID | Error Message Text |
---|---|
CPE3418 E | Possible APAR condition or hardware failure. |
[ Back to top | Security APIs | UNIX-Type APIs | APIs by category ]