krb5_kdc_verify_ticket - Verify a PAC, possibly including ticket signature.¶
- krb5_error_code krb5_kdc_verify_ticket(krb5_context context, const krb5_enc_tkt_part * enc_tkt, krb5_const_principal server_princ, const krb5_keyblock * server, const krb5_keyblock * privsvr, krb5_pac * pac_out)¶
| param: | [in] context - Library context [in] enc_tkt - Ticket enc-part, possibly containing a PAC [in] server_princ - Canonicalized name of ticket server [in] server - Key to validate server checksum (or NULL) [in] privsvr - Key to validate KDC checksum (or NULL) [out] pac_out - Verified PAC (NULL if no PAC included) |
|---|
| retval: |
|
|---|
If a PAC is present in enc_tkt , verify its signatures. If privsvr is not NULL and server_princ is not a krbtgt or kadmin/changepw service, require a ticket signature over enc_tkt in addition to the KDC signature. Place the verified PAC in pac_out . If an invalid PAC signature is found, return an error matching the Windows KDC protocol code for that condition as closely as possible.
If no PAC is present in enc_tkt , set pac_out to NULL and return successfully.
Note
This function does not validate the PAC_CLIENT_INFO buffer. If a specific value is expected, the caller can make a separate call to krb5_pac_verify_ext() with a principal but no keys.
Note
New in 1.20