Checking if Kerberos tickets exist in cache

I have written some C code to connect to a Kerberized LDAP server. This all works fine, but at present, it currently generates a new TGT every time it connects, rather than using the one (assuming it already exists) in the default credenti开发者_Go百科als cache.

I have looked into using the likes of krb5_cc_resolve and krb5_initialize to get a reference to the cache, but this seems to destroy the cache if it already exists, along with any tickets it holds.

Basically, what I want to know is: is there any way of checking the default credentials cache for existing TGTs without destroying it?

krb5_cc_initialize clears the cache, as the documentation says. Just don't do that if you want to access an existing cache

From the docs:

Any existing credentials are discarded and the principal name for the cache is set to the value specified

Look in the code for kstart where it implements the -H option.

http://git.eyrie.org/?p=kerberos/kstart.git;a=blob;f=framework.c;h=66e851413a9b4d71fa4d61ded2f3c0d71cd03b0c;hb=HEAD

Basically, you need to check the expire time for the principal in the ticket.

 /* Obtain the ticket. */
 memset(&increds, 0, sizeof(increds));
 code = krb5_cc_resolve(ctx, config->cache, &ccache);
 if (code != 0)
     goto done;
     increds.client = config->client;
 else {
     code = krb5_cc_get_principal(ctx, ccache, &increds.client);
    if (code != 0)
        goto done;
 }
 code = get_krbtgt_princ(ctx, increds.client, &increds.server);
if (code != 0)
     goto done;
 code = krb5_get_credentials(ctx, 0, ccache, &increds, &outcreds);
 if (code != 0)
    goto done;
 increds_valid = true;

 /* Check the expiration time and renewal limit. */
if (code == 0) {
    now = time(NULL);
   then = outcreds->times.endtime;
     if (config->happy_ticket > 0)
        offset = 60 * config->happy_ticket;
   else
        offset = 60 * config->keep_ticket + EXPIRE_FUDGE;
    if (then < now + offset)
       code = KRB5KRB_AP_ERR_TKT_EXPIRED;