MIT Kerberos Documentation

krb5_verify_init_creds - Verify initial credentials against a keytab.

krb5_error_code krb5_verify_init_creds(krb5_context context, krb5_creds * creds, krb5_principal server_arg, krb5_keytab keytab_arg, krb5_ccache * ccache_arg, krb5_verify_init_creds_opt * options)

[in] context - Library context

[in] creds - Initial credentials to be verified

[in] server_arg - Server principal (or NULL)

[in] keytab_arg - Key table (NULL to use default keytab)

[inout] ccache_arg - Credential cache for fetched creds (or NULL)

[in] options - Verification options (NULL for default options)

  • 0 Success; otherwise - Kerberos error codes

This function attempts to verify that creds were obtained from a KDC with knowledge of a key in keytab_arg . If server_arg is provided, the highest-kvno key entry for that principal name is used to verify the credentials; otherwise, the highest-kvno key entry for the first principal listed in keytab_arg is used.

If the specified keytab does not exist, or is empty, or cannot be read, or does not contain an entry for server_arg , then credential verification may be skipped unless configuration demands that it succeed. The caller can control this behavior by providing a verification options structure; see krb5_verify_init_creds_opt_init() and krb5_verify_init_creds_opt_set_ap_req_nofail() .

If ccache_arg is NULL, any additional credentials fetched during the verification process will be destroyed. If ccache_arg points to NULL, a memory ccache will be created for the additional credentials and returned in ccache_arg . If ccache_arg points to a valid credential cache handle, the additional credentials will be stored in that cache.