KINIT(1) BSD General Commands Manual KINIT(1)
NAME
kinit -- acquire initial tickets
SYNOPSIS
kinit [--afslog] [-c cachename | --cache=cachename] [--canonicalize] [-f | --no-forwardable] [-t keytabname | --keytab=keytabname] [-l time |
--lifetime=time] [-p | --proxiable] [-R | --renew] [--renewable] [-r time | --renewable-life=time] [-S principal | --server=principal]
[-s time | --start-time=time] [-k | --use-keytab] [-v | --validate] [-e enctypes | --enctypes=enctypes] [-a addresses |
--extra-addresses=addresses] [--password-file=filename] [--fcache-version=version-number] [-A | --no-addresses] [--anonymous]
[--enterprise] [--version] [--help] [principal [command]]
DESCRIPTION
kinit is used to authenticate to the Kerberos server as principal, or if none is given, a system generated default (typically your login name
at the default realm), and acquire a ticket granting ticket that can later be used to obtain tickets for other services.
Supported options:
-c cachename --cache=cachename
The credentials cache to put the acquired ticket in, if other than default.
-canonicalize
ask the KDC canonicalize the client name and server name. Useful with enterprise names, PK-INIT, and LKDC realms when the user
doesn't know its real kerberos user name.
-f, --forwardable
Get ticket that can be forwarded to another host.
-t keytabname, --keytab=keytabname
-f --no-forwardable
Get ticket that can be forwarded to another host, or if the negative flags use, don't get a forwardable flag.
-t keytabname, --keytab=keytabname
Don't ask for a password, but instead get the key from the specified keytab.
-l time, --lifetime=time
Specifies the lifetime of the ticket. The argument can either be in seconds, or a more human readable string like '1h'.
-p, --proxiable
Request tickets with the proxiable flag set.
-R, --renew
Try to renew ticket. The ticket must have the 'renewable' flag set, and must not be expired.
--renewable
The same as --renewable-life, with an infinite time.
-r time, --renewable-life=time
The max renewable ticket life.
-S principal, --server=principal
Get a ticket for a service other than krbtgt/LOCAL.REALM.
-s time, --start-time=time
Obtain a ticket that starts to be valid time (which can really be a generic time specification, like '1h') seconds into the future.
-k, --use-keytab
The same as --keytab, but with the default keytab name (normally FILE:/etc/krb5.keytab).
-v, --validate
Try to validate an invalid ticket.
-e, --enctypes=enctypes
Request tickets with this particular enctype.
--password-file=filename
read the password from the first line of filename. If the filename is STDIN, the password will be read from the standard input.
--fcache-version=version-number
Create a credentials cache of version version-number.
-a, --extra-addresses=enctypes
Adds a set of addresses that will, in addition to the systems local addresses, be put in the ticket. This can be useful if all
addresses a client can use can't be automatically figured out. One such example is if the client is behind a firewall. Also set-
table via libdefaults/extra_addresses in krb5.conf(5).
-A, --no-addresses
Request a ticket with no addresses.
--anonymous
Request an anonymous ticket (which means that the ticket will be issued to an anonymous principal, typically ``anonymous@REALM'').
-V, --verbose
Print slightly more verbose output from kinit when successful.
--enterprise
Parse principal as a enterprise (KRB5-NT-ENTERPRISE) name. Enterprise names are email like principals that are stored in the name
part of the principal, and since there are two @ characters the parser needs to know that the first is not a realm. An example of an
enterprise name is ``lha@e.kth.se@KTH.SE'', and this option is usually used with canonicalize so that the principal returned from the
KDC will typically be the real principal name.
--afslog
Gets AFS tickets, converts them to version 4 format, and stores them in the kernel. Only useful if you have AFS.
The forwardable, proxiable, ticket_life, and renewable_life options can be set to a default value from the appdefaults section in krb5.conf,
see krb5_appdefault(3).
If a command is given, kinit will set up new credentials caches, and AFS PAG, and then run the given command. When it finishes the creden-
tials will be removed.
ENVIRONMENT
KRB5CCNAME
Specifies the default credentials cache.
KRB5_CONFIG
The file name of krb5.conf, the default being /etc/krb5.conf.
KRBTKFILE
Specifies the Kerberos 4 ticket file to store version 4 tickets in.
SEE ALSO
kdestroy(1), klist(1), krb5_appdefault(3), krb5.conf(5), ktutil(8)
HEIMDAL
April 25, 2006 HEIMDAL