NAME

       krb5_verify_init_creds_opt_init,  krb5_verify_init_creds_opt_set_ap_req_nofail,  krb5_verify_init_creds —
       verifies a credential cache is correct by using a local keytab

LIBRARY

       Kerberos 5 Library (libkrb5, -lkrb5)

SYNOPSIS

       #include <krb5.h>

       struct krb5_verify_init_creds_opt;

       void
       krb5_verify_init_creds_opt_init(krb5_verify_init_creds_opt *options);

       void
       krb5_verify_init_creds_opt_set_ap_req_nofail(krb5_verify_init_creds_opt *options, int ap_req_nofail);

       krb5_error_code
       krb5_verify_init_creds(krb5_context context,       krb5_creds *creds,       krb5_principal ap_req_server,
           krb5_ccache *ccache, krb5_verify_init_creds_opt *options);

DESCRIPTION

       The  krb5_verify_init_creds  function verifies the initial tickets with the local keytab to make sure the
       response of the KDC was spoof-ed.

       krb5_verify_init_creds will use principal ap_req_server from the local keytab, if NULL is passed in,  the
       code  will guess the local hostname and use that to form host/hostname/GUESSED-REALM-FOR-HOSTNAME.  creds
       is the credential that krb5_verify_init_creds should verify.  If ccache is given krb5_verify_init_creds()
       stores all credentials it fetched from the KDC there, otherwise it will use  a  memory  credential  cache
       that is destroyed when done.

       krb5_verify_init_creds_opt_init()  cleans  the the structure, must be used before trying to pass it in to
       krb5_verify_init_creds().

       krb5_verify_init_creds_opt_set_ap_req_nofail() controls controls the behavior  if  ap_req_server  doesn't
       exists  in the local keytab or in the KDC's database, if it's true, the error will be ignored.  Note that
       this use is possible insecure.

SEE ALSO

       krb5(3), krb5_get_init_creds(3), krb5_verify_user(3), krb5.conf(5)

HEIMDAL                                            May 1, 2006                         KRB5_VERIFY_INIT_CREDS(3)