Linux and UNIX Man Pages

Linux & Unix Commands - Search Man Pages

kinit(1) [osx man page]

KINIT(1)						    BSD General Commands Manual 						  KINIT(1)

NAME
kinit -- acquire initial tickets SYNOPSIS
kinit [--afslog] [-c cachename | --cache=cachename] [--canonicalize] [-f | --no-forwardable] [-t keytabname | --keytab=keytabname] [-l time | --lifetime=time] [-p | --proxiable] [-R | --renew] [--renewable] [-r time | --renewable-life=time] [-S principal | --server=principal] [-s time | --start-time=time] [-k | --use-keytab] [-v | --validate] [-e enctypes | --enctypes=enctypes] [-a addresses | --extra-addresses=addresses] [--password-file=filename] [--fcache-version=version-number] [-A | --no-addresses] [--anonymous] [--enterprise] [--version] [--help] [principal [command]] DESCRIPTION
kinit is used to authenticate to the Kerberos server as principal, or if none is given, a system generated default (typically your login name at the default realm), and acquire a ticket granting ticket that can later be used to obtain tickets for other services. Supported options: -c cachename --cache=cachename The credentials cache to put the acquired ticket in, if other than default. -canonicalize ask the KDC canonicalize the client name and server name. Useful with enterprise names, PK-INIT, and LKDC realms when the user doesn't know its real kerberos user name. -f, --forwardable Get ticket that can be forwarded to another host. -t keytabname, --keytab=keytabname -f --no-forwardable Get ticket that can be forwarded to another host, or if the negative flags use, don't get a forwardable flag. -t keytabname, --keytab=keytabname Don't ask for a password, but instead get the key from the specified keytab. -l time, --lifetime=time Specifies the lifetime of the ticket. The argument can either be in seconds, or a more human readable string like '1h'. -p, --proxiable Request tickets with the proxiable flag set. -R, --renew Try to renew ticket. The ticket must have the 'renewable' flag set, and must not be expired. --renewable The same as --renewable-life, with an infinite time. -r time, --renewable-life=time The max renewable ticket life. -S principal, --server=principal Get a ticket for a service other than krbtgt/LOCAL.REALM. -s time, --start-time=time Obtain a ticket that starts to be valid time (which can really be a generic time specification, like '1h') seconds into the future. -k, --use-keytab The same as --keytab, but with the default keytab name (normally FILE:/etc/krb5.keytab). -v, --validate Try to validate an invalid ticket. -e, --enctypes=enctypes Request tickets with this particular enctype. --password-file=filename read the password from the first line of filename. If the filename is STDIN, the password will be read from the standard input. --fcache-version=version-number Create a credentials cache of version version-number. -a, --extra-addresses=enctypes Adds a set of addresses that will, in addition to the systems local addresses, be put in the ticket. This can be useful if all addresses a client can use can't be automatically figured out. One such example is if the client is behind a firewall. Also set- table via libdefaults/extra_addresses in krb5.conf(5). -A, --no-addresses Request a ticket with no addresses. --anonymous Request an anonymous ticket (which means that the ticket will be issued to an anonymous principal, typically ``anonymous@REALM''). -V, --verbose Print slightly more verbose output from kinit when successful. --enterprise Parse principal as a enterprise (KRB5-NT-ENTERPRISE) name. Enterprise names are email like principals that are stored in the name part of the principal, and since there are two @ characters the parser needs to know that the first is not a realm. An example of an enterprise name is ``lha@e.kth.se@KTH.SE'', and this option is usually used with canonicalize so that the principal returned from the KDC will typically be the real principal name. --afslog Gets AFS tickets, converts them to version 4 format, and stores them in the kernel. Only useful if you have AFS. The forwardable, proxiable, ticket_life, and renewable_life options can be set to a default value from the appdefaults section in krb5.conf, see krb5_appdefault(3). If a command is given, kinit will set up new credentials caches, and AFS PAG, and then run the given command. When it finishes the creden- tials will be removed. ENVIRONMENT
KRB5CCNAME Specifies the default credentials cache. KRB5_CONFIG The file name of krb5.conf, the default being /etc/krb5.conf. KRBTKFILE Specifies the Kerberos 4 ticket file to store version 4 tickets in. SEE ALSO
kdestroy(1), klist(1), krb5_appdefault(3), krb5.conf(5), ktutil(8) HEIMDAL
April 25, 2006 HEIMDAL
Man Page