krb5_kdc_verify_ticket -  Verify a PAC, possibly including ticket signature. 
=============================================================================

..

.. c:function:: krb5_error_code krb5_kdc_verify_ticket(krb5_context context, const krb5_enc_tkt_part * enc_tkt, krb5_const_principal server_princ, const krb5_keyblock * server, const krb5_keyblock * privsvr, krb5_pac * pac_out)

..


:param:

	          **[in]** **context** - Library context

	          **[in]** **enc_tkt** - Ticket enc-part, possibly containing a PAC

	          **[in]** **server_princ** - Canonicalized name of ticket server

	          **[in]** **server** - Key to validate server checksum (or NULL)

	          **[in]** **privsvr** - Key to validate KDC checksum (or NULL)

	          **[out]** **pac_out** - Verified PAC (NULL if no PAC included)


..


:retval:
         -   0   Success; otherwise - Kerberos error codes


..







If a PAC is present in *enc_tkt* , verify its signatures. If *privsvr* is not NULL and *server_princ* is not a krbtgt or kadmin/changepw service, require a ticket signature over *enc_tkt* in addition to the KDC signature. Place the verified PAC in *pac_out* . If an invalid PAC signature is found, return an error matching the Windows KDC protocol code for that condition as closely as possible.



If no PAC is present in *enc_tkt* , set *pac_out* to NULL and return successfully.










..






.. note::

	 This function does not validate the PAC_CLIENT_INFO buffer. If a specific value is expected, the caller can make a separate call to :c:func:`krb5_pac_verify_ext()` with a principal but no keys.
 


.. note::

	 New in 1.20
 

