krb5_get_credentials()--Get Service Ticket
Syntax
#include <krb5.h>
krb5_error_code krb5_get_credentials(
krb5_context context,
krb5_const krb5_flags options,
krb5_ccache ccache,
krb5_creds * in_cred,
krb5_creds ** out_cred);
Service Program Name: QSYS/QKRBGSS
Default Public Authority: *USE
Threadsafe: Yes
The krb5_get_credentials() function obtains a service
ticket for the requested server. This routine is the normal way for an
application to obtain a service ticket. If the service ticket is already in the
credentials cache, the krb5_get_credentials() routine returns
the cached ticket. Otherwise, the krb5_get_credentials()
routine calls the krb5_get_cred_from_kdc() routine to obtain a
service ticket from the Kerberos server.
The krb5_get_credentials() routine stores any tickets
obtained during its processing in the credentials cache. This includes the
requested service ticket, as well as any ticket-granting tickets required to
obtain the service ticket.
Authorities
| Object Referred to |
Data Authority Required |
| Each directory in the path name preceding the
credentials cache file |
*X |
| Credentials cache file |
*RW |
Parameters
- context (Input)
- The Kerberos context.
- options (Input)
- The option flags as follows:
| KRB5_GC_USER_USER (x'00000001') |
Obtain a user-to-user ticket. |
| KRB5_GC_CACHED (x'00000002') |
Do not obtain a service ticket if one is not
found in the credentials cache. |
- ccache (Input)
- The credentials cache to be used. The initial ticket-granting ticket must
already be in the cache.
- in_cred (Input)
- The request credentials. The client and server fields
must be set to the desired values for the service ticket. The
second_ticket field must be set if the service ticket is to be
encrypted in a session key. The ticket expiration time can be set to override
the default expiration time. The key encryption type can be set to override the
default ticket encryption type.
- out_cred (Output)
- The service ticket. The krb5_free_creds() routine should
be called to release the credentials when they are no longer needed.
Return Value
If no errors occur, the return value is 0. Otherwise, a Kerberos error code
is returned.
Error Messages
| Message ID |
Error Message Text |
| CPE3418 E |
Possible APAR condition or hardware failure. |
Usage Notes
- If KRB5_GC_CACHED is specified, the
krb5_get_credentials() routine searches only the credentials
cache for a service ticket.
- If KRB5_GC_USER_USER is specified, the
krb5_get_credentials() routine gets credentials for
user-to-user authentication. In user-to-user authentication, the secret key for
the server is the session key from the server's ticket-granting ticket. The
ticket-granting ticket is passed from the server to the client over the
network. (This is safe since the ticket-granting ticket is encrypted in a key
known only by the Kerberos server.) The client must then pass this
ticket-granting ticket to krb5_get_credentials() as the second
ticket in the request credentials. The Kerberos server uses this
ticket-granting ticket to construct a user-to-user ticket that can be verified
by the server using the session key from its ticket-granting ticket.
API introduced: V5R1