#include <krb5.h> krb5_error_code krb5_get_in_tkt_with_skey( krb5_context context, krb5_const krb5_flags options, krb5_address * krb5_const * addrs, krb5_enctype * enctypes, krb5_preauthtype * pre_auth_types, krb5_const krb5_keyblock * key, krb5_ccache ccache, krb5_creds * creds, krb5_kdc_rep ** ret_as_reply);Service Program Name: QSYS/QKRBGSS
The krb5_get_in_tkt_with_skey() function obtains an initial ticket-granting ticket from the Kerberos Key Distribution Center (KDC) server using a session key. This initial ticket can then be used to obtain service tickets. The client must be in the same realm as the KDC to be able to obtain an initial ticket from the KDC. The initial ticket can be used to obtain tickets in the same realm or in different realms as long as the proper inter-realm trust relationships have been established.
Object Referred to | Data Authority Required |
---|---|
Each directory in the path name preceding the key table file, if key parameter is NULL | *X |
Key table file, if key parameter is NULL | *R |
Each directory in the path name preceding the credentials cache file | *X |
Credentials cache file | *RW |
KDC_OPT_FORWARDABLE (x'40000000') | Obtain a forwardable ticket. |
KDC_OPT_PROXIABLE (x'10000000') | Obtain a proxiable ticket. |
KDC_OPT_ALLOW_POSTDATE (x'04000000') | Allow postdated tickets. |
KDC_OPT_RENEWABLE (x'00800000') | Obtain a renewable ticket. The renew_till time must be set in the request. |
KDC_OPT_RENEWABLE_OK (x'00000010') | A renewable ticket is acceptable if the KDC policy does not allow a ticket to be generated with the requested endtime. |
ENCTYPE_DES_CBC_CRC (x'00000001') | 32-bit CRC checksum with DES encryption. This encryption type should be used for interoperability with older levels of Kerberos Version 5. |
ENCTYPE_DES_CBC_MD5 (x'00000003') | MD5 checksum with DES encryption. |
KRB5_PADATA_ENC_TIMESTAMP (x'00000002') | Encrypted timestamp preauthentication. This preauthentication type should be used for interoperability with a Kerberos KDC. |
Upon completion of the request, creds are updated with the initial ticket, the session key, and the client address list. The krb5_free_cred_contents() or krb5_free_creds() routine should be called to release the credentials when they are no longer needed.
If no errors occur, the return value is 0. Otherwise, a Kerberos error code is returned.
Message ID | Error Message Text |
---|---|
CPE3418 E | Possible APAR condition or hardware failure. |
[ Back to top | Security APIs | UNIX-Type APIs | APIs by category ]