krb5_cc_retrieve_cred()--Retrieve a Set of Credentials
Syntax
#include <krb5.h> krb5_error_code krb5_cc_retrieve_cred( krb5_context context, krb5_ccache ccache, krb5_flags flags, krb5_creds * mcreds, krb5_creds * creds);Service Program Name: QSYS/QKRBGSS
Default Public Authority: *USE
Threadsafe: Yes
The krb5_cc_retrieve_cred() function searches the credentials cache and returns an entry that matches the credentials specified. The client principal must always match. The KRB5_TC_MATCH_SRV_NAMEONLY flag controls how much of the server principal must match.
Authorities
Object Referred to | Data Authority Required |
---|---|
Each directory in the path name preceding the credentials cache file | *X |
Credentials cache file | *RW |
Parameters
- context (Input)
- The Kerberos context.
- ccache (Input)
- The credentials cache handle.
- flags (Input)
- The search flags that are used to determine whether a particular cache
entry should be returned to the caller. The following symbolic definitions are
provided for the various flags and should be ORed together to set the desired
search flags:
KRB5_TC_MATCH_TIMES (x'00000001') The renew_till and endtime values in the cache entry must be greater than the values in the match credentials. A time value will be ignored if it is zero. KRB5_TC_MATCH_IS_SKEY (x'00000002') The is_skey flag in the cache entry must be the same as the is_skey flag in the match credentials. KRB5_TC_MATCH_FLAGS (x'00000004') All of the flags set in the match credentials must also be set in the cache entry. KRB5_TC_MATCH_TIMES_EXACT (x'00000008') The time fields in the cache entry must match exactly the time fields in the match credentials. KRB5_TC_MATCH_FLAGS_EXACT (x'00000010') The flags in the cache entry must match exactly the flags in the match credentials. KRB5_TC_MATCH_AUTHDATA (x'00000020') The authorization data in the cache entry must be identical to the authorization data in the match credentials. KRB5_TC_MATCH_SRV_NAMEONLY (x'00000040') Only the name portion of the server principal in the cache entry needs to match the server principal in the match credentials. The realm values may be different. If this flag is not set, the complete principal name must match. KRB5_TC_MATCH_2ND_TKT (x'00000080') The second ticket in the cache entry must match exactly the second ticket in the match credentials. KRB5_TC_MATCH_KTYPE (x'00000100') The encryption key type in the cache entry must match the encryption key type in the match credentials. KRB5_TC_SUPPORTED_KTYPES (x'00000200') The encryption key type in the cache entry must be one of the encryption types specified by the default_tgs_enctypes value in the Kerberos configuration profile. If the default_tgs_enctypes value contains multiple encryption types, the list will be processed from left to right and the first matching credential will be returned.
- mcreds (Input)
- The match credentials. Fields from these credentials are matched with
fields in the cache entries based on the search flags. The client and server
principals must always be set in the match credentials, no matter what search
flags are specified.
- creds (Output)
- The contents of the matched cache entry. The krb5_free_cred_contents() routine should be called to release the credentials contents when they are no longer needed.
Return Value
If no errors occur, the return value is 0. Otherwise, a Kerberos error code is returned.
Error Messages
Message ID | Error Message Text |
---|---|
CPE3418 E | Possible APAR condition or hardware failure. |
API introduced: V5R1
[ Back to top | Security APIs | UNIX-Type APIs | APIs by category ]