#include <kerberosIV/krb.h> kuserok(kdata, localuser) AUTH_DAT *auth_data; char *localuser;
If there is no account for localuser on the local machine, authorization is not granted. If there is no authorization file, and the Kerberos principal described by auth_data translates to localuser (using krb_kntoln(3)), authorization is granted. If the authorization file can't be accessed, or the file is not owned by localuser, authorization is denied. Otherwise, the file is searched for a matching principal name, instance, and realm. If a match is found, authorization is granted, else authorization is denied.
The file entries are in the format:
name.instance@realmwith one entry per line.