DOKK / manpages / debian 12 / heimdal-dev / krb5_get_creds_opt_set_options.3.en
KRB5_GET_CREDS(3) Library Functions Manual KRB5_GET_CREDS(3)

krb5_get_creds, krb5_get_creds_opt_add_options, krb5_get_creds_opt_alloc, krb5_get_creds_opt_free, krb5_get_creds_opt_set_enctype, krb5_get_creds_opt_set_impersonate, krb5_get_creds_opt_set_options, krb5_get_creds_opt_set_ticketget credentials from the KDC

Kerberos 5 Library (libkrb5, -lkrb5)

#include <krb5.h>

krb5_get_creds(krb5_context context, krb5_get_creds_opt opt, krb5_ccache ccache, krb5_const_principal inprinc, krb5_creds **out_creds);

krb5_get_creds_opt_add_options(krb5_context context, krb5_get_creds_opt opt, krb5_flags options);

krb5_get_creds_opt_alloc(krb5_context context, krb5_get_creds_opt *opt);

krb5_get_creds_opt_free(krb5_context context, krb5_get_creds_opt opt);

krb5_get_creds_opt_set_enctype(krb5_context context, krb5_get_creds_opt opt, krb5_enctype enctype);

krb5_get_creds_opt_set_impersonate(krb5_context context, krb5_get_creds_opt opt, krb5_const_principal self);

krb5_get_creds_opt_set_options(krb5_context context, krb5_get_creds_opt opt, krb5_flags options);

krb5_get_creds_opt_set_ticket(krb5_context context, krb5_get_creds_opt opt, const Ticket *ticket);

() fetches credentials specified by opt by first looking in the ccache, and then it doesn't exists, fetch the credential from the KDC using the krbtgts in ccache. The credential is returned in out_creds and should be freed using the function ().

The structure krb5_get_creds_opt controls the behavior of (). The structure is opaque to consumers that can set the content of the structure with accessors functions. All accessor functions make copies of the data that is passed into accessor functions, so external consumers free the memory before calling krb5_get_creds().

The structure krb5_get_creds_opt is allocated with () and freed with (). The free function also frees the content of the structure set by the accessor functions.

() and () adds and sets options to the krb5_get_creds_opt structure . The possible options to set are

Only check the ccache, don't got out on network to fetch credential.
request a user to user ticket. This options doesn't store the resulting user to user credential in the ccache.
returns the credential even if it is expired, default behavior is trying to refetch the credential from the KDC.
Do not store the resulting credentials in the ccache.

() sets the preferred encryption type of the application. Don't set this unless you have to since if there is no match in the KDC, the function call will fail.

() sets the principal to impersonate., Returns a ticket that have the impersonation principal as a client and the requestor as the service. Note that the requested principal have to be the same as the client principal in the krbtgt.

() sets the extra ticket used in user-to-user or contrained delegation use case.

krb5(3), krb5_get_credentials(3), krb5.conf(5)

June 15, 2006 HEIMDAL