krb5_get_creds(3) krb5_get_creds_opt_add_options

LIBRARY

Kerberos 5 Library (libkrb5, -lkrb5)

SYNOPSIS

In krb5.h Ft krb5_error_code Fo krb5_get_creds Fa krb5_context context Fa krb5_get_creds_opt opt Fa krb5_ccache ccache Fa krb5_const_principal inprinc Fa krb5_creds **out_creds Fc Ft void Fo krb5_get_creds_opt_add_options Fa krb5_context context Fa krb5_get_creds_opt opt Fa krb5_flags options Fc Ft krb5_error_code Fo krb5_get_creds_opt_alloc Fa krb5_context context Fa krb5_get_creds_opt *opt Fc Ft void Fo krb5_get_creds_opt_free Fa krb5_context context Fa krb5_get_creds_opt opt Fc Ft void Fo krb5_get_creds_opt_set_enctype Fa krb5_context context Fa krb5_get_creds_opt opt Fa krb5_enctype enctype Fc Ft krb5_error_code Fo krb5_get_creds_opt_set_impersonate Fa krb5_context context Fa krb5_get_creds_opt opt Fa krb5_const_principal self Fc Ft void Fo krb5_get_creds_opt_set_options Fa krb5_context context Fa krb5_get_creds_opt opt Fa krb5_flags options Fc Ft krb5_error_code Fo krb5_get_creds_opt_set_ticket Fa krb5_context context Fa krb5_get_creds_opt opt Fa const Ticket *ticket Fc

DESCRIPTION

Fn krb5_get_creds fetches credentials specified by Fa opt by first looking in the Fa ccache , and then it doesn't exists, fetch the credential from the KDC using the krbtgts in Fa ccache . The credential is returned in Fa out_creds and should be freed using the function Fn krb5_free_creds .

The structure krb5_get_creds_opt controls the behavior of Fn krb5_get_creds . The structure is opaque to consumers that can set the content of the structure with accessors functions. All accessor functions make copies of the data that is passed into accessor functions, so external consumers free the memory before calling Fn krb5_get_creds .

The structure krb5_get_creds_opt is allocated with Fn krb5_get_creds_opt_alloc and freed with Fn krb5_get_creds_opt_free . The free function also frees the content of the structure set by the accessor functions.

Fn krb5_get_creds_opt_add_options and Fn krb5_get_creds_opt_set_options adds and sets options to the krb5_get_creds_opt structure . The possible options to set are

KRB5_GC_CACHED
Only check the Fa ccache , don't got out on network to fetch credential.
KRB5_GC_USER_USER
request a user to user ticket. This options doesn't store the resulting user to user credential in the Fa ccache .
KRB5_GC_EXPIRED_OK
returns the credential even if it is expired, default behavior is trying to refetch the credential from the KDC.
KRB5_GC_NO_STORE
Do not store the resulting credentials in the Fa ccache .

Fn krb5_get_creds_opt_set_enctype sets the preferred encryption type of the application. Don't set this unless you have to since if there is no match in the KDC, the function call will fail.

Fn krb5_get_creds_opt_set_impersonate sets the principal to impersonate., Returns a ticket that have the impersonation principal as a client and the requestor as the service. Note that the requested principal have to be the same as the client principal in the krbtgt.

Fn krb5_get_creds_opt_set_ticket sets the extra ticket used in user-to-user or contrained delegation use case.