krb5_get_cred_from_kdc()--Get Service Ticket from Kerberos KDC Server
Syntax
#include <krb5.h> krb5_error_code krb5_get_cred_from_kdc( krb5_context context, krb5_ccache ccache, krb5_creds * in_cred, krb5_creds ** out_cred, krb5_creds *** tgts);Service Program Name: QSYS/QKRBGSS
Default Public Authority: *USE
Threadsafe: Yes
The krb5_get_cred_from_kdc() function obtains a service ticket from the Kerberos Key Distribution Center (KDC) server. The credentials are not stored in the credentials cache. (The application should store them in the cache if appropriate.) The application should not call krb5_get_cred_from_kdc() if the requested service ticket is already in the credentials cache.
Authorities
Object Referred to | Data Authority Required |
---|---|
Each directory in the path name preceding the credentials cache file | *X |
Credentials cache file | *RW |
Parameters
- context (Input)
- The Kerberos context.
- ccache (Input)
- The credentials cache. The initial ticket-granting ticket for the local
realm must already be in the cache. The Kerberos runtime obtains additional
ticket-granting tickets as needed if the target server is not in the local
realm.
- in_cred (Input)
- The request credentials. The client and server fields
must be set to the desired values for the service ticket. The
second_ticket field must be set if the service ticket is to be
encrypted in a session key. The ticket expiration time can be set to override
the default expiration time.
- out_cred (Output)
- The service ticket. The krb5_free_creds() routine should
be called to release the credentials when they are no longer needed.
- tgts (Output)
- Any new ticket-granting tickets that were obtained while getting the service target from the KDC in the target realm. There may be ticket-granting tickets returned for this parameter even if the Kerberos runtime ultimately was unable to obtain a service ticket from the target KDC. The krb5_free_tgt_creds() routine should be called to release the ticket-granting ticket array when it is no longer needed.
Return Value
If no errors occur, the return value is 0. Otherwise, a Kerberos error code is returned.
Error Messages
Message ID | Error Message Text |
---|---|
CPE3418 E | Possible APAR condition or hardware failure. |
Usage Notes
- The krb5_get_cred_from_kdc() routine obtains any necessary ticket-granting tickets for intermediate realms between the client realm and the server realm. It then calls the krb5_get_cred_via_tkt() routine to obtain the actual service ticket. The KDC options are the same as the ticket-granting ticket options. The KDC_OPT_ENC_TKT_IN_SKEY (x'00000008') flag is set if the in_cred parameter provided a second ticket.
API introduced: V5R1
[ Back to top | Security APIs | UNIX-Type APIs | APIs by category ]