krb5_get_cred_via_tkt()--Get Service Ticket from Kerberos KDC Server Using Supplied Ticket-granting Ticket
Syntax
#include <krb5.h> krb5_error_code krb5_get_cred_via_tkt( krb5_context context, krb5_creds * tkt, krb5_const krb5_flags kdc_options, krb5_address ** address, krb5_creds * in_cred, krb5_creds ** out_cred);Service Program Name: QSYS/QKRBGSS
Default Public Authority: *USE
Threadsafe: Yes
The krb5_get_cred_via_tkt() function obtains a service ticket from the Kerberos Key Distribution Center (KDC) server.
Authorities
No authorities are required.
Parameters
- context (Input)
- The Kerberos context.
- tkt (Input)
- The ticket-granting ticket for the realm containing the target server for
the service ticket. The client in the ticket-granting ticket must be the same
as the client in the request credentials.
- kdc_options (Input)
- KDC options for the service ticket as follows:
KDC_OPT_FORWARDABLE (x'40000000') Obtain a forwardable ticket. KDC_OPT_PROXIABLE (x'10000000') Obtain a proxiable ticket. KDC_OPT_ALLOW_POSTDATE (x'04000000') Allow postdated tickets. KDC_OPT_RENEWABLE (x'00800000') Obtain a renewable ticket. The renew_till time must be set in the request. KDC_OPT_RENEWABLE_OK (x'00000010') A renewable ticket is acceptable if the KDC policy does not allow a ticket to be generated with the requested endtime. KDC_OPT_ENC_TKT_IN_SKEY (x'00000008') Encrypt the service ticket in the session key of the second ticket.
- address (Input)
- The addresses to be placed in the ticket. The ticket addresses determine
which host systems can generate requests to use the ticket.
- in_cred (Input)
- The request credentials. The client and server fields
must be set to the desired values for the service ticket. The
second_ticket field must be set if the service ticket is to be
encrypted in a session key. The ticket expiration time can be set to override
the default expiration time.
- out_cred (Output)
- The service ticket. The krb5_free_creds() routine should be called to release the credentials when they are no longer needed.
Return Value
If no errors occur, the return value is 0. Otherwise, a Kerberos error code is returned.
Error Messages
Message ID | Error Message Text |
---|---|
CPE3418 E | Possible APAR condition or hardware failure. |
Usage Notes
- If the request is for a ticket-granting ticket in a foreign realm, the KDC may return a ticket-granting ticket for an intermediate realm if it is unable to return a ticket-granting ticket for the requested realm. The application should check the server name in the returned ticket-granting ticket. If the ticket-granting ticket is not for the desired realm, the application should call krb5_get_cred_via_tkt() again to send the request to the KDC for the realm in the returned ticket-granting ticket and should provide the ticket-granting ticket as the credentials for the request.
API introduced: V5R1
[ Back to top | Security APIs | UNIX-Type APIs | APIs by category ]