220 lines
6.2 KiB
HTML
220 lines
6.2 KiB
HTML
|
<!DOCTYPE html PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN">
|
||
|
<html>
|
||
|
<head>
|
||
|
<meta http-equiv="Content-Type" content="text/html; charset=utf-8">
|
||
|
<meta name="Copyright" content="Copyright (c) 2006 by IBM Corporation">
|
||
|
<title>krb5_get_credentials()--Get Service Ticket</title>
|
||
|
<!-- Begin Header Records -->
|
||
|
<!-- Created by Kent Hofer for V5R1 -->
|
||
|
<!-- All rights reserved. Licensed Materials Property of IBM -->
|
||
|
<!-- US Government Users Restricted Rights -->
|
||
|
<!-- Use, duplication or disclosure restricted by -->
|
||
|
<!-- GSA ADP Schedule Contract with IBM Corp. -->
|
||
|
<!-- Change History: -->
|
||
|
<!-- YYMMDD USERID Change description -->
|
||
|
<link rel="stylesheet" type="text/css" href="../rzahg/ic.css">
|
||
|
</head>
|
||
|
<body>
|
||
|
<!-- End Header Records --><!-- Edited by Kersten Jan 02 -->
|
||
|
<!--Java sync-link-->
|
||
|
<script type="text/javascript" language="Javascript" src="../rzahg/synch.js">
|
||
|
</script>
|
||
|
|
||
|
<a name="Top_Of_Page"></a>
|
||
|
|
||
|
<h2>krb5_get_credentials()--Get Service Ticket</h2>
|
||
|
|
||
|
<div class="box" style="width: 60%;">
|
||
|
<br>
|
||
|
Syntax
|
||
|
|
||
|
<pre>
|
||
|
#include <krb5.h>
|
||
|
|
||
|
krb5_error_code krb5_get_credentials(
|
||
|
krb5_context <em>context</em>,
|
||
|
krb5_const krb5_flags <em>options</em>,
|
||
|
krb5_ccache <em>ccache</em>,
|
||
|
krb5_creds * <em>in_cred</em>,
|
||
|
krb5_creds ** <em>out_cred</em>);
|
||
|
</pre>
|
||
|
|
||
|
Service Program Name: QSYS/QKRBGSS<br>
|
||
|
<!-- iddvc RMBR -->
|
||
|
<br>
|
||
|
Default Public Authority: *USE<br>
|
||
|
<!-- iddvc RMBR -->
|
||
|
<br>
|
||
|
Threadsafe: Yes<br>
|
||
|
<!-- iddvc RMBR -->
|
||
|
<br>
|
||
|
</div>
|
||
|
|
||
|
<p>The <strong>krb5_get_credentials()</strong> function obtains a service
|
||
|
ticket for the requested server. This routine is the normal way for an
|
||
|
application to obtain a service ticket. If the service ticket is already in the
|
||
|
credentials cache, the <strong>krb5_get_credentials()</strong> routine returns
|
||
|
the cached ticket. Otherwise, the <strong>krb5_get_credentials()</strong>
|
||
|
routine calls the <strong>krb5_get_cred_from_kdc()</strong> routine to obtain a
|
||
|
service ticket from the Kerberos server.</p>
|
||
|
|
||
|
<p>The <strong>krb5_get_credentials()</strong> routine stores any tickets
|
||
|
obtained during its processing in the credentials cache. This includes the
|
||
|
requested service ticket, as well as any ticket-granting tickets required to
|
||
|
obtain the service ticket.</p>
|
||
|
|
||
|
<br>
|
||
|
<h3>Authorities</h3>
|
||
|
|
||
|
<table border cellpadding="5">
|
||
|
<!-- width="80" -->
|
||
|
<!-- cols="30 70" -->
|
||
|
<tr>
|
||
|
<th align="left" valign="bottom">Object Referred to</th>
|
||
|
<th align="center" valign="bottom">Data Authority Required</th>
|
||
|
</tr>
|
||
|
|
||
|
<tr>
|
||
|
<td align="left" valign="top">Each directory in the path name preceding the
|
||
|
credentials cache file</td>
|
||
|
<td align="center" valign="top">*X</td>
|
||
|
</tr>
|
||
|
|
||
|
<tr>
|
||
|
<td align="left" valign="top">Credentials cache file</td>
|
||
|
<td align="center" valign="top">*RW</td>
|
||
|
</tr>
|
||
|
</table>
|
||
|
|
||
|
<br>
|
||
|
<br>
|
||
|
<h3>Parameters</h3>
|
||
|
|
||
|
<dl>
|
||
|
<dt><strong>context</strong> (Input)</dt>
|
||
|
|
||
|
<dd>The Kerberos context.<br>
|
||
|
<br>
|
||
|
</dd>
|
||
|
|
||
|
<dt><strong>options</strong> (Input)</dt>
|
||
|
|
||
|
<dd>The option flags as follows:<br>
|
||
|
<br>
|
||
|
<table cellpadding="5">
|
||
|
<!-- cols="35 65" -->
|
||
|
<tr>
|
||
|
<td align="left" valign="top"><em>KRB5_GC_USER_USER</em> (x'00000001')</td>
|
||
|
<td align="left" valign="top">Obtain a user-to-user ticket.</td>
|
||
|
</tr>
|
||
|
|
||
|
<tr>
|
||
|
<td align="left" valign="top"><em>KRB5_GC_CACHED</em> (x'00000002')</td>
|
||
|
<td align="left" valign="top">Do not obtain a service ticket if one is not
|
||
|
found in the credentials cache.</td>
|
||
|
</tr>
|
||
|
</table>
|
||
|
|
||
|
<br>
|
||
|
<br>
|
||
|
</dd>
|
||
|
|
||
|
<dt><strong>ccache</strong> (Input)</dt>
|
||
|
|
||
|
<dd>The credentials cache to be used. The initial ticket-granting ticket must
|
||
|
already be in the cache.<br>
|
||
|
<br>
|
||
|
</dd>
|
||
|
|
||
|
<dt><strong>in_cred</strong> (Input)</dt>
|
||
|
|
||
|
<dd>The request credentials. The <em>client</em> and <em>server</em> fields
|
||
|
must be set to the desired values for the service ticket. The
|
||
|
<em>second_ticket</em> field must be set if the service ticket is to be
|
||
|
encrypted in a session key. The ticket expiration time can be set to override
|
||
|
the default expiration time. The key encryption type can be set to override the
|
||
|
default ticket encryption type.<br>
|
||
|
<br>
|
||
|
</dd>
|
||
|
|
||
|
<dt><strong>out_cred</strong> (Output)</dt>
|
||
|
|
||
|
<dd>The service ticket. The <strong>krb5_free_creds()</strong> routine should
|
||
|
be called to release the credentials when they are no longer needed.<br>
|
||
|
<br>
|
||
|
</dd>
|
||
|
</dl>
|
||
|
|
||
|
<br>
|
||
|
|
||
|
|
||
|
<h3>Return Value</h3>
|
||
|
|
||
|
<p>If no errors occur, the return value is 0. Otherwise, a Kerberos error code
|
||
|
is returned.</p>
|
||
|
|
||
|
<br>
|
||
|
|
||
|
|
||
|
<h3>Error Messages</h3>
|
||
|
|
||
|
<table width="100%" cellpadding="5">
|
||
|
<!-- cols="15 85" -->
|
||
|
<tr>
|
||
|
<th align="left" valign="top">Message ID</th>
|
||
|
<th align="left" valign="top">Error Message Text</th>
|
||
|
</tr>
|
||
|
|
||
|
<tr>
|
||
|
<td width="15%" valign="top">CPE3418 E</td>
|
||
|
<td width="85%" valign="top">Possible APAR condition or hardware failure.</td>
|
||
|
</tr>
|
||
|
</table>
|
||
|
|
||
|
<br>
|
||
|
<br>
|
||
|
|
||
|
|
||
|
<h3>Usage Notes</h3>
|
||
|
|
||
|
<ol>
|
||
|
<li>If <strong>KRB5_GC_CACHED</strong> is specified, the
|
||
|
<strong>krb5_get_credentials()</strong> routine searches only the credentials
|
||
|
cache for a service ticket.<br>
|
||
|
<br>
|
||
|
</li>
|
||
|
|
||
|
<li>If <strong>KRB5_GC_USER_USER</strong> is specified, the
|
||
|
<strong>krb5_get_credentials()</strong> routine gets credentials for
|
||
|
user-to-user authentication. In user-to-user authentication, the secret key for
|
||
|
the server is the session key from the server's ticket-granting ticket. The
|
||
|
ticket-granting ticket is passed from the server to the client over the
|
||
|
network. (This is safe since the ticket-granting ticket is encrypted in a key
|
||
|
known only by the Kerberos server.) The client must then pass this
|
||
|
ticket-granting ticket to <strong>krb5_get_credentials()</strong> as the second
|
||
|
ticket in the request credentials. The Kerberos server uses this
|
||
|
ticket-granting ticket to construct a user-to-user ticket that can be verified
|
||
|
by the server using the session key from its ticket-granting ticket.</li>
|
||
|
</ol>
|
||
|
|
||
|
<br>
|
||
|
|
||
|
|
||
|
<hr>
|
||
|
API introduced: V5R1
|
||
|
|
||
|
<hr>
|
||
|
<center>
|
||
|
<table cellpadding="2" cellspacing="2">
|
||
|
<tr align="center">
|
||
|
<td valign="middle" align="center"><a href="#Top_Of_Page">Top</a> | <a href=
|
||
|
"sec.htm">Security APIs</a> <br>
|
||
|
<a href="unix.htm">UNIX-Type APIs</a> | <a href="aplist.htm">APIs by
|
||
|
category</a> </td>
|
||
|
</tr>
|
||
|
</table>
|
||
|
</center>
|
||
|
</body>
|
||
|
</html>
|
||
|
|