1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
|
KRB5_GET_CREDENTIALS(3) BSD Library Functions Manual KRB5_GET_CREDENTIALS(3)
N�NA�AM�ME�E
k�kr�rb�b5�5_�_g�ge�et�t_�_c�cr�re�ed�de�en�nt�ti�ia�al�ls�s, k�kr�rb�b5�5_�_g�ge�et�t_�_c�cr�re�ed�de�en�nt�ti�ia�al�ls�s_�_w�wi�it�th�h_�_f�fl�la�ag�gs�s, k�kr�rb�b5�5_�_g�ge�et�t_�_k�kd�dc�c_�_c�cr�re�ed�d,
k�kr�rb�b5�5_�_g�ge�et�t_�_r�re�en�ne�ew�we�ed�d_�_c�cr�re�ed�ds�s -- get credentials from the KDC using krbtgt
L�LI�IB�BR�RA�AR�RY�Y
Kerberos 5 Library (libkrb5, -lkrb5)
S�SY�YN�NO�OP�PS�SI�IS�S
#�#i�in�nc�cl�lu�ud�de�e <�<k�kr�rb�b5�5.�.h�h>�>
_�k_�r_�b_�5_�__�e_�r_�r_�o_�r_�__�c_�o_�d_�e
k�kr�rb�b5�5_�_g�ge�et�t_�_c�cr�re�ed�de�en�nt�ti�ia�al�ls�s(_�k_�r_�b_�5_�__�c_�o_�n_�t_�e_�x_�t _�c_�o_�n_�t_�e_�x_�t, _�k_�r_�b_�5_�__�f_�l_�a_�g_�s _�o_�p_�t_�i_�o_�n_�s,
_�k_�r_�b_�5_�__�c_�c_�a_�c_�h_�e _�c_�c_�a_�c_�h_�e, _�k_�r_�b_�5_�__�c_�r_�e_�d_�s _�*_�i_�n_�__�c_�r_�e_�d_�s, _�k_�r_�b_�5_�__�c_�r_�e_�d_�s _�*_�*_�o_�u_�t_�__�c_�r_�e_�d_�s);
_�k_�r_�b_�5_�__�e_�r_�r_�o_�r_�__�c_�o_�d_�e
k�kr�rb�b5�5_�_g�ge�et�t_�_c�cr�re�ed�de�en�nt�ti�ia�al�ls�s_�_w�wi�it�th�h_�_f�fl�la�ag�gs�s(_�k_�r_�b_�5_�__�c_�o_�n_�t_�e_�x_�t _�c_�o_�n_�t_�e_�x_�t, _�k_�r_�b_�5_�__�f_�l_�a_�g_�s _�o_�p_�t_�i_�o_�n_�s,
_�k_�r_�b_�5_�__�k_�d_�c_�__�f_�l_�a_�g_�s _�f_�l_�a_�g_�s, _�k_�r_�b_�5_�__�c_�c_�a_�c_�h_�e _�c_�c_�a_�c_�h_�e, _�k_�r_�b_�5_�__�c_�r_�e_�d_�s _�*_�i_�n_�__�c_�r_�e_�d_�s,
_�k_�r_�b_�5_�__�c_�r_�e_�d_�s _�*_�*_�o_�u_�t_�__�c_�r_�e_�d_�s);
_�k_�r_�b_�5_�__�e_�r_�r_�o_�r_�__�c_�o_�d_�e
k�kr�rb�b5�5_�_g�ge�et�t_�_k�kd�dc�c_�_c�cr�re�ed�d(_�k_�r_�b_�5_�__�c_�o_�n_�t_�e_�x_�t _�c_�o_�n_�t_�e_�x_�t, _�k_�r_�b_�5_�__�c_�c_�a_�c_�h_�e _�i_�d,
_�k_�r_�b_�5_�__�k_�d_�c_�__�f_�l_�a_�g_�s _�f_�l_�a_�g_�s, _�k_�r_�b_�5_�__�a_�d_�d_�r_�e_�s_�s_�e_�s _�*_�a_�d_�d_�r_�e_�s_�s_�e_�s,
_�T_�i_�c_�k_�e_�t _�*_�s_�e_�c_�o_�n_�d_�__�t_�i_�c_�k_�e_�t, _�k_�r_�b_�5_�__�c_�r_�e_�d_�s _�*_�i_�n_�__�c_�r_�e_�d_�s, _�k_�r_�b_�5_�__�c_�r_�e_�d_�s _�*_�*_�o_�u_�t_�__�c_�r_�e_�d_�s);
_�k_�r_�b_�5_�__�e_�r_�r_�o_�r_�__�c_�o_�d_�e
k�kr�rb�b5�5_�_g�ge�et�t_�_r�re�en�ne�ew�we�ed�d_�_c�cr�re�ed�ds�s(_�k_�r_�b_�5_�__�c_�o_�n_�t_�e_�x_�t _�c_�o_�n_�t_�e_�x_�t, _�k_�r_�b_�5_�__�c_�r_�e_�d_�s _�*_�c_�r_�e_�d_�s,
_�k_�r_�b_�5_�__�c_�o_�n_�s_�t_�__�p_�r_�i_�n_�c_�i_�p_�a_�l _�c_�l_�i_�e_�n_�t, _�k_�r_�b_�5_�__�c_�c_�a_�c_�h_�e _�c_�c_�a_�c_�h_�e,
_�c_�o_�n_�s_�t _�c_�h_�a_�r _�*_�i_�n_�__�t_�k_�t_�__�s_�e_�r_�v_�i_�c_�e);
D�DE�ES�SC�CR�RI�IP�PT�TI�IO�ON�N
k�kr�rb�b5�5_�_g�ge�et�t_�_c�cr�re�ed�de�en�nt�ti�ia�al�ls�s_�_w�wi�it�th�h_�_f�fl�la�ag�gs�s() get credentials specified by
_�i_�n_�__�c_�r_�e_�d_�s_�-_�>_�s_�e_�r_�v_�e_�r and _�i_�n_�__�c_�r_�e_�d_�s_�-_�>_�c_�l_�i_�e_�n_�t (the rest of the _�i_�n_�__�c_�r_�e_�d_�s structure
is ignored) by first looking in the _�c_�c_�a_�c_�h_�e and if doesn't exists or is
expired, fetch the credential from the KDC using the krbtgt in _�c_�c_�a_�c_�h_�e.
The credential is returned in _�o_�u_�t_�__�c_�r_�e_�d_�s and should be freed using the
function k�kr�rb�b5�5_�_f�fr�re�ee�e_�_c�cr�re�ed�ds�s().
Valid flags to pass into _�o_�p_�t_�i_�o_�n_�s argument are:
KRB5_GC_CACHED Only check the _�c_�c_�a_�c_�h_�e, don't got out on network to
fetch credential.
KRB5_GC_USER_USER Request a user to user ticket. This option doesn't
store the resulting user to user credential in the
_�c_�c_�a_�c_�h_�e.
KRB5_GC_EXPIRED_OK returns the credential even if it is expired, default
behavior is trying to refetch the credential from the
KDC.
_�F_�l_�a_�g_�s are KDCOptions, note the caller must fill in the bit-field and not
use the integer associated structure.
k�kr�rb�b5�5_�_g�ge�et�t_�_c�cr�re�ed�de�en�nt�ti�ia�al�ls�s() works the same way as
k�kr�rb�b5�5_�_g�ge�et�t_�_c�cr�re�ed�de�en�nt�ti�ia�al�ls�s_�_w�wi�it�th�h_�_f�fl�la�ag�gs�s() except that the _�f_�l_�a_�g_�s field is missing.
k�kr�rb�b5�5_�_g�ge�et�t_�_k�kd�dc�c_�_c�cr�re�ed�d() does the same as the functions above, but the caller
must fill in all the information andits closer to the wire protocol.
k�kr�rb�b5�5_�_g�ge�et�t_�_r�re�en�ne�ew�we�ed�d_�_c�cr�re�ed�ds�s() renews a credential given by _�i_�n_�__�t_�k_�t_�__�s_�e_�r_�v_�i_�c_�e (if
NULL the default krbtgt) using the credential cache _�c_�c_�a_�c_�h_�e. The result
is stored in _�c_�r_�e_�d_�s and should be freed using _�k_�r_�b_�5_�__�f_�r_�e_�e_�__�c_�r_�e_�d_�s.
E�EX�XA�AM�MP�PL�LE�ES�S
Here is a example function that get a credential from a credential cache
_�i_�d or the KDC and returns it to the caller.
#include <krb5.h>
int
getcred(krb5_context context, krb5_ccache id, krb5_creds **creds)
{
krb5_error_code ret;
krb5_creds in;
ret = krb5_parse_name(context, "client@EXAMPLE.COM",
&in.client);
if (ret)
krb5_err(context, 1, ret, "krb5_parse_name");
ret = krb5_parse_name(context, "host/server.example.com@EXAMPLE.COM",
&in.server);
if (ret)
krb5_err(context, 1, ret, "krb5_parse_name");
ret = krb5_get_credentials(context, 0, id, &in, creds);
if (ret)
krb5_err(context, 1, ret, "krb5_get_credentials");
return 0;
}
S�SE�EE�E A�AL�LS�SO�O
krb5(3), krb5_get_forwarded_creds(3), krb5.conf(5)
HEIMDAL July 26, 2004 HEIMDAL
|
