Museum

Home

Lab Overview

Retrotechnology Articles

⇒ Online Manual

Media Vault

Software Library

Restoration Projects

Artifacts Sought

Related Articles

krb_get_lrealm(3krb)

krb_set_tkt_string(3krb)

kerberos(3krb)

krb_sendauth(3krb)

kerberos(8krb)

krb_svc_init(3krb)

Name

krb_svc_init, krb_get_svc_in_tkt, krb_get_pw_in_tkt − Kerberos authentication initialization routines

Syntax

 #include <krb.h>
 #include <des.h>

 krb_svc_init  (user, instance, realm, lifetime,
                      srvtab_file, tkt_file)
 char*user, *instance, *realm;
 intlifetime;
 char*srvtab_file, *tkt_file;

 krb_get_svc_in_tkt  (user, instance, realm, service,
                            service_instance, lifetime,
                            srvtab_file)
 char*user, *instance, *realm, *service,;
 char     *service_instance;
 intlifetime;
 char*srvtab_file;

 krb_get_pw_in_tkt  (user, instance, realm, service,
                              service_instance, lifetime,
                              password)
 char*user, *instance, *realm,;
 char     *service, *service_instance;
 intlifetime;
 char*password;

Arguments

user For krb_get_svc_in_tkt and krb_get_pw_in_tkt, the primary name of the principal that is obtaining a ticket that will authenticate it to principal, service.  For krb_svc_init, the primary name of the principal that is obtaining a ticket to communicate with the ticket-granting service.

instance For krb_get_svc_in_tkt and krb_get_pw_in_tkt, the instance name of the principal that is obtaining a ticket that will authenticate it to principal, service.  For krb_svc_init, the instance name of the principal that is obtaining a ticket to communicate with the ticket-granting service.

realm For krb_get_svc_in_tkt and krb_get_pw_in_tkt, the realm name of the principal that is obtaining a ticket that will authenticate it to principal, service.  For krb_svc_init, the realm name of the principal that is obtaining a ticket to communicate with the ticket-granting service.

service The primary name of the service for which a ticket will be obtained. 

service_instance
The instance of the service for which a ticket will be obtained.

lifetime The number of five-minute intervals for which the obtained ticket should be valid.  Values greater than 255 will be set to 255.  Values greater than the maximum lifetime allowed for tickets given to the requesting principal will be set to the maximum lifetime allowed.  The maximum lifetime of the tickets granted to a principal is determined when the principal is added to the Kerberos database. 

srvtab_file
The path name of the file that contains the key of the principal obtaining a ticket.  If this value is set to the NULL pointer, the default service table (srvtab) file value is used.  The default srvtab file value is set by default to /etc/srvtab, although this value can be changed by a call to the krb_set_srvtab_string function.  (Refer to krb_set_tkt_string(3krb)).

tkt_file The path name of the file into which the credentials and tickets of the user or service should be placed.  If the tkt_file parameter is equal to the NULL pointer, then the default ticket file value is used.  The default ticket file value is set equal to /var/dss/kerberos/tkt/tkt.[uid]where uid is the user ID of the process that calls the above functions.  The default ticket file value can be changed by the krb_set_tkt_string(3krb) function call.

password The password of the principal that is obtaining a ticket that will authenticate it to principal, service.  If the password input is the NULL string, then krb_get_pw_in_tkt will prompt for a password on stdout and read the password from stdin.

Description

The krb_svc_init(3krb) routines are designed to obtain for the requesting principal a ticket to communicate with a specific service.  They require that the password/key of the requesting principal be either available as an argument, or available from the srvtab_file argument or from stdin. Since the krb_svc_init(3krb) routines always require a password, they are best used to obtain the ticket used to communicate with the ticket-granting service.  The ticket-granting ticket is used by the other Kerberos routines to obtain tickets to communicate with principals other than the ticket-granting service, without needing the key of the principal.

The krb_sendauth(3krb) routines as well as the kerberos(3krb) routines will not work as intended without the presence of a ticket-granting ticket.

The routines of krb_svc_init(3krb) are as follows:

krb_svc_init

For the principal with a primary name of user, an instance name of instance, and a realm name of realm, the krb_svc_init routine obtains a ticket that the principal can use to communicate with the ticket-granting service.  The key of the principal is read from srvtab_file and the ticket obtained is placed in tkt_file. 

If the realm argument is equivalent to the NULL string, then the realm of which the local host is a member, is used by default.  If lifetime is equivalent to 0, then the default lifetime, 255, is used.  If srvtab_file is not equivalent to the NULL string, then the srvtab_file parameter is used as the service table (srvtab) file name and the default srvtab file is set equal to the srvtab_file parameter.  If srvtab_file is equivalent to NULL, then the default srvtab file is used.  If the tkt_file parameter is not equivalent to the NULL string, then the tkt_file parameter is used as the ticket file name and the default ticket file is set equal to the tkt_file parameter.  If the tkt_file parameter is NULL, then the default ticket file value is used. 

krb_svc_init returns INT_OK if krb_svc_init has successfully obtained a ticket-granting ticket.  The following is a list of most of the error values returned from krb_svc_init and their possible cause:

KFAILURE
The /etc/krb.conf file (see krb.conf(5krb)) cannot be opened or it is not properly formed, or
The service table (srvtab) file does not exist, or
A read of the srvtab file failed, or
The srvtab file is badly formatted, or
The srvtab file did not contain the keyof the principal with primary name, user, or
A write to the ticket file failed.

SKDC_CANT
A Kerberos server must be contacted so that krb_svc_init can perform its function, but the attempt cannot be made because a socket cannot be opened or bound, or there is no Kerberos server listed in /etc/krb.conf.

SKDC_RETRY
A Kerberos server needs to be contacted, but none responded even after several attempts.

INTK_PROT
Kerberos protocol version mismatch.  The version of the Kerberos protocol supported by krb_svc_init does not match the Kerberos protocol version supported by the kerberos(8krb) daemon.

INTK_BADPW
The ticket returned by the kerberos daemon did not decrypt correctly.  This is usually caused by an incorrect service password.

INTK_ERR
The ticket sent from the kerberos daemon was not a ticket to communicate with the ticket-granting service, or
The ticket file cannot be accessed, or
The ticket file could not be created, or
A write operation to the ticket file failed.

TKT_FIL_LCK
The ticket file could not be locked for access.

krb_get_svc_in_tkt

For the principal with a primary name of user, an instance name of instance and a realm name of realm, the krb_get_svc_in_tkt routine obtains a ticket to communicate with the principal that has a primary name of service and an instance name of service_instance.  The key of the requesting primary is read from the file srvtab_file and the tickets are placed in the default ticket file.  If the srvtab_file argument is equivalent to the NULL string, then the default srvtab file value is used instead of the srvtab_file parameter.  The default srvtab file value and default ticket file value can be changed respectively by krb_set_srvtab_sting and krb_set_tkt_string. To obtain the ticket-granting ticket, the service parameter must be set equal to "krbtgt" and the service_instance argument must be set equal to the realm name of the local realm. 

krb_get_svc_in_tkt returns INT_OK if krb_get_svc_in_tkt has successfully obtained a ticket to communicate with principal, service.  The following is a list of most of the error values returned from krb_get_svc_in_tkt and their possible causes:

KFAILURE
The /etc/krb.conf file cannot be opened or it is not properly
formed, or
A read of the service table (srvtab) file failed, or
The srvtab file did not contain the keyof the principal with primary name, user, or
A write to the ticket file failed.

SKDC_CANT
A Kerberos server must be contacted in order for krb_svc_init to perform its function, but the attempt cannot be made because a socket cannot be opened or bound, or there is no Kerberos server listed in /etc/krb.conf.

SKDC_RETRY
A Kerberos server needs to be contacted but none responded even after several attempts.

INTK_PROT
Kerberos protocol version mismatch.  The version of the Kerberos protocol supported by krb_get_svc_in_tkt does not match the Kerberos protocol version supported by the kerberos daemon.

INTK_BADPW
The ticket returned by the kerberos daemon did not decrypt correctly.  This is usually caused by an incorrect service password.

INTK_ERR
The ticket sent from the kerberos daemon was not a ticket to communicate with the ticket-granting service, or
The ticket file cannot be accessed, or
The ticket file could not be created, or
A write operation to the ticket file failed.

TKT_FIL_LCK
The ticket file could not be locked for access.

krb_get_pw_in_tkt

For the principal with a primary name of user, an instance name of instance, and a realm name of realm, the krb_get_pw_in_tkt routine obtains a ticket to communicate with the principal with a primary name of service and an instance name of service_instance.  The key of the principal must be input either as the password parameter or, if the password field is equivalent to the NULL string, the password must be input from stdin.

The tickets that are obtained are placed in the default ticket file.  The default ticket file can be changed by the krb_set_tkt_string function.  To obtain the ticket-granting ticket, the service parameter must be set equal to "krbtgt" and the service_instance argument must be set equal to the realm name of the local realm. 

krb_get_pw_in_tkt returns INT_OK if krb_get_pw_in_tkt has successfully obtained a ticket to communicate with principal, service.  The following is a list of most of the error values returned from krb_get_pw_in_tkt and their possible causes:

KFAILURE
/etc/krb.conf file cannot be opened or it is not properly formed. A write to the ticket file failed.

SKDC_CANT
A Kerberos server must be contacted in order for krb_svc_init to perform its function but the attempt cannot be made because a socket cannot be opened or bound, or there is no Kerberos server listed in /etc/krb.conf.

SKDC_RETRY
A Kerberos server needs to be contacted but none responded even after several attempts.

INTK_PROT
Kerberos protocol version mismatch.  The version of the Kerberos protocol supported by krb_get_pw_in_tkt does not match the Kerberos protocol version supported by the kerberos daemon.

INTK_BADPW
The ticket returned by the kerberos daemon did not decrypt correctly.  This is usually caused by an incorrect user password.

INTK_ERR
The ticket sent from the kerberos daemon was not a ticket to communicate with the ticket-granting service, or
The ticket file cannot be accessed, or
The ticket file could not be created, or
A write operation to the ticket file failed.

TKT_FIL_LCK
The ticket file could not be locked for access.

See Also

krb_get_lrealm(3krb), krb_set_tkt_string(3krb), kerberos(3krb), krb_sendauth(3krb), kerberos(8krb)

Typewritten Software • bear@typewritten.org • Edmonds, WA 98026