krb5_creds

A ticket that allows one to connect as a particular client principal to a particular server principal for a given time using a particular session key whenever encryption is needed for client/server communication.

From RFC 4120, a ticket is:

"A record that helps a client authenticate itself to a server; it contains the client's identity, a session key, a timestamp, and other information, all sealed using the server's secret key. It only serves to authenticate a client when presented along with a fresh Authenticator."

Ultimately, it's some bytes that are used in authentication and come from a ticket request to the KDC.

The odd thing regarding this type is that it is both used to represent a request for credentials (no tickets specified) and as the retrieved credentials (contains a ticket).

As for second_ticket, it's a special ticket that is used in user-to-user authentication. It is set to the TGT of the server when requesting credentials from the KDC.

You should only need to use this function if you're doing something low-level manually.

of_password and of_keytab request tickets from the KDC.

options is used to override default lifetimes and flags for the returned ticket.

tkt_service specifies what ticket to acquire. If not specified, it defaults to the KDC's ticket granting service (i.e. the returned ticket is a TGT).

principal is the requesting principal.

check_password principal ~password checks with the KDC that principal's password is password

is_skey t iff the server should decrypt the ticket with the session key of its tgt (user-to-user)

valid until this time

the session key