krb5_get_cred_via_tkt()--Get Service Ticket from Kerberos KDC Server Using Supplied Ticket-granting Ticket

Syntax

 #include <krb5.h>

 krb5_error_code krb5_get_cred_via_tkt(
     krb5_context     context,
     krb5_creds *     tkt,
     krb5_const krb5_flags    kdc_options,   
     krb5_address **      address,
     krb5_creds *       in_cred,
     krb5_creds **      out_cred);

  Service Program Name: QSYS/QKRBGSS

  Default Public Authority: *USE

  Threadsafe: Yes

The krb5_get_cred_via_tkt() function obtains a service ticket from the Kerberos Key Distribution Center (KDC) server.

Authorities

No authorities are required.

Parameters

context (Input)

The Kerberos context.

tkt (Input)

The ticket-granting ticket for the realm containing the target server for the service ticket. The client in the ticket-granting ticket must be the same as the client in the request credentials.

kdc_options (Input)

KDC options for the service ticket as follows:

KDC_OPT_FORWARDABLE (x'40000000')

Obtain a forwardable ticket.

KDC_OPT_PROXIABLE (x'10000000')

Obtain a proxiable ticket.

KDC_OPT_ALLOW_POSTDATE (x'04000000')

Allow postdated tickets.

KDC_OPT_RENEWABLE (x'00800000')

Obtain a renewable ticket. The renew_till time must be set in the request.

KDC_OPT_RENEWABLE_OK (x'00000010')

A renewable ticket is acceptable if the KDC policy does not allow a ticket to be generated with the requested endtime.

KDC_OPT_ENC_TKT_IN_SKEY (x'00000008')

Encrypt the service ticket in the session key of the second ticket.

address (Input)

The addresses to be placed in the ticket. The ticket addresses determine which host systems can generate requests to use the ticket.

in_cred (Input)

The request credentials. The client and server fields must be set to the desired values for the service ticket. The second_ticket field must be set if the service ticket is to be encrypted in a session key. The ticket expiration time can be set to override the default expiration time.

out_cred (Output)

The service ticket. The krb5_free_creds() routine should be called to release the credentials when they are no longer needed.

Return Value

If no errors occur, the return value is 0. Otherwise, a Kerberos error code is returned.

Error Messages

Message ID

Error Message Text

CPE3418 E

Possible APAR condition or hardware failure.

Usage Notes

If the request is for a ticket-granting ticket in a foreign realm, the KDC may return a ticket-granting ticket for an intermediate realm if it is unable to return a ticket-granting ticket for the requested realm. The application should check the server name in the returned ticket-granting ticket. If the ticket-granting ticket is not for the desired realm, the application should call krb5_get_cred_via_tkt() again to send the request to the KDC for the realm in the returned ticket-granting ticket and should provide the ticket-granting ticket as the credentials for the request.

API introduced: V5R1

[ Back to top | Security APIs | UNIX-Type APIs | APIs by category ]