Checking renewability of TGT programatically

Greg Hudson ghudson at MIT.EDU
Thu May 2 12:13:15 EDT 2013

On 05/02/2013 09:51 AM, Arpit Srivastava wrote:
> I am using GSS API with Kerberos as underlying implementation. I am
> fetching a TGT from AD, and I need to check whether the ticket is is
> renewable or not either preferably using some GSS API method (or some
> native method).

If possible, I would suggest using the k5start program:

GSSAPI does not have any facilities for this.  If you need to write your
own code, you will likely need to use these functions:

* krb5_init_context
* krb5_cc_default
* krb5_cc_start_seq_get
* krb5_cc_next_cred
* krb5_cc_end_seq_get

Within each krb5_creds structure produced by krb5_cc_next_cred, the
server field can be used to check if the credential is a TGT, and the
times field indicates the ticket expiration and renew-until timestamps.

You can find per-function documentation in the krb5.h header file, if
it's from release 1.10 or later, or here:

More information about the krbdev mailing list