krb5_cc_retrieve_cred()--Retrieve a Set of Credentials

Syntax

 #include <krb5.h>

 krb5_error_code krb5_cc_retrieve_cred(  
     krb5_context     context,  
     krb5_ccache      ccache,
     krb5_flags       flags,
     krb5_creds *     mcreds,
     krb5_creds *     creds);

  Service Program Name: QSYS/QKRBGSS

  Default Public Authority: *USE

  Threadsafe: Yes

The krb5_cc_retrieve_cred() function searches the credentials cache and returns an entry that matches the credentials specified. The client principal must always match. The KRB5_TC_MATCH_SRV_NAMEONLY flag controls how much of the server principal must match.

Authorities

Object Referred to

Data Authority Required

Each directory in the path name preceding the credentials cache file

Credentials cache file

*RW

Parameters

context (Input)

The Kerberos context.

ccache (Input)

The credentials cache handle.

flags (Input)

The search flags that are used to determine whether a particular cache entry should be returned to the caller. The following symbolic definitions are provided for the various flags and should be ORed together to set the desired search flags:

KRB5_TC_MATCH_TIMES (x'00000001')

The renew_till and endtime values in the cache entry must be greater than the values in the match credentials. A time value will be ignored if it is zero.

KRB5_TC_MATCH_IS_SKEY (x'00000002')

The is_skey flag in the cache entry must be the same as the is_skey flag in the match credentials.

KRB5_TC_MATCH_FLAGS (x'00000004')

All of the flags set in the match credentials must also be set in the cache entry.

KRB5_TC_MATCH_TIMES_EXACT (x'00000008')

The time fields in the cache entry must match exactly the time fields in the match credentials.

KRB5_TC_MATCH_FLAGS_EXACT (x'00000010')

The flags in the cache entry must match exactly the flags in the match credentials.

KRB5_TC_MATCH_AUTHDATA (x'00000020')

The authorization data in the cache entry must be identical to the authorization data in the match credentials.

KRB5_TC_MATCH_SRV_NAMEONLY (x'00000040')

Only the name portion of the server principal in the cache entry needs to match the server principal in the match credentials. The realm values may be different. If this flag is not set, the complete principal name must match.

KRB5_TC_MATCH_2ND_TKT (x'00000080')

The second ticket in the cache entry must match exactly the second ticket in the match credentials.

KRB5_TC_MATCH_KTYPE (x'00000100')

The encryption key type in the cache entry must match the encryption key type in the match credentials.

KRB5_TC_SUPPORTED_KTYPES (x'00000200')

The encryption key type in the cache entry must be one of the encryption types specified by the default_tgs_enctypes value in the Kerberos configuration profile. If the default_tgs_enctypes value contains multiple encryption types, the list will be processed from left to right and the first matching credential will be returned.

mcreds (Input)

The match credentials. Fields from these credentials are matched with fields in the cache entries based on the search flags. The client and server principals must always be set in the match credentials, no matter what search flags are specified.

creds (Output)

The contents of the matched cache entry. The krb5_free_cred_contents() routine should be called to release the credentials contents when they are no longer needed.

Return Value

If no errors occur, the return value is 0. Otherwise, a Kerberos error code is returned.

Error Messages

Message ID

Error Message Text

CPE3418 E

Possible APAR condition or hardware failure.

API introduced: V5R1

[ Back to top | Security APIs | UNIX-Type APIs | APIs by category ]