Checking renewability of TGT programatically
Greg Hudson
ghudson at MIT.EDU
Thu May 2 12:13:15 EDT 2013
On 05/02/2013 09:51 AM, Arpit Srivastava wrote:
> I am using GSS API with Kerberos as underlying implementation. I am
> fetching a TGT from AD, and I need to check whether the ticket is is
> renewable or not either preferably using some GSS API method (or some
> native method).
If possible, I would suggest using the k5start program:
http://www.eyrie.org/~eagle/software/kstart/k5start.html
GSSAPI does not have any facilities for this. If you need to write your
own code, you will likely need to use these functions:
* krb5_init_context
* krb5_cc_default
* krb5_cc_start_seq_get
* krb5_cc_next_cred
* krb5_cc_end_seq_get
Within each krb5_creds structure produced by krb5_cc_next_cred, the
server field can be used to check if the credential is a TGT, and the
times field indicates the ticket expiration and renew-until timestamps.
You can find per-function documentation in the krb5.h header file, if
it's from release 1.10 or later, or here:
http://web.mit.edu/kerberos/krb5-latest/doc/appdev/refs/api/index.html
More information about the krbdev
mailing list