The
krb5_verify_init_creds function verifies the initial tickets with the local keytab to make sure the response of the KDC was spoof-ed.
krb5_verify_init_creds will use principal
ap_req_server from the local keytab, if
NULL is passed in, the code will guess the local hostname and use that to form host/hostname/GUESSED-REALM-FOR-HOSTNAME.
creds is the credential that
krb5_verify_init_creds should verify. If
ccache is given
krb5_verify_init_creds() stores all credentials it fetched from the KDC there, otherwise it will use a memory credential cache that is destroyed when done.
krb5_verify_init_creds_opt_init() cleans the the structure, must be used before trying to pass it in to
krb5_verify_init_creds().
krb5_verify_init_creds_opt_set_ap_req_nofail() controls controls the behavior if
ap_req_server doesn't exists in the local keytab or in the KDC's database, if it's true, the error will be ignored. Note that this use is possible insecure.