table of contents
KINIT(1) | General Commands Manual | KINIT(1) |
NAME¶
kinit
—
acquire initial tickets
SYNOPSIS¶
kinit |
[- -afslog ]
[-c cachename |
- -cache= cachename]
[-f |
- -forwardable ]
[-F |
- -no-forwardable ]
[-t keytabname |
- -keytab= keytabname]
[-l time |
- -lifetime= time]
[-p |
- -proxiable ]
[-R |
- -renew ]
[- -renewable ]
[-r time |
- -renewable-life= time]
[-S principal |
- -server= principal]
[-s time |
- -start-time= time]
[-k |
- -use-keytab ]
[-v |
- -validate ]
[-e enctypes |
- -enctypes= enctypes]
[-a addresses |
- -extra-addresses= addresses]
[- -password-file= filename]
[- -fcache-version= version-number]
[-A |
- -no-addresses ]
[- -anonymous ]
[- -enterprise ]
[- -version ]
[- -help ]
[principal [command]] |
DESCRIPTION¶
kinit
is used to authenticate to the Kerberos server as
principal, or if none is given, a system generated
default (typically your login name at the default realm), and acquire a ticket
granting ticket that can later be used to obtain tickets for other services.
Supported options:
-c
cachename-
-cache=
cachename- The credentials cache to put the acquired ticket in, if other than default.
-f
-
-forwardable
- Obtain a ticket than can be forwarded to another host.
-F
-
-no-forwardable
- Do not obtain a forwardable ticket.
-t
keytabname,-
-keytab=
keytabname- Don't ask for a password, but instead get the key from the specified keytab.
-l
time,-
-lifetime=
time- Specifies the lifetime of the ticket. The argument can either be in seconds, or a more human readable string like ‘1h’.
-p
,-
-proxiable
- Request tickets with the proxiable flag set.
-R
,-
-renew
- Try to renew ticket. The ticket must have the ‘renewable’ flag set, and must not be expired.
-
-renewable
- The same as
-
-renewable-life
, with an infinite time. -r
time,-
-renewable-life=
time- The max renewable ticket life.
-S
principal,-
-server=
principal- Get a ticket for a service other than krbtgt/LOCAL.REALM.
-s
time,-
-start-time=
time- Obtain a ticket that starts to be valid time (which can really be a generic time specification, like ‘1h’) seconds into the future.
-k
,-
-use-keytab
- The same as
-
-keytab
, but with the default keytab name (normally FILE:/etc/krb5.keytab). -v
,-
-validate
- Try to validate an invalid ticket.
-e
,-
-enctypes=
enctypes- Request tickets with this particular enctype.
-
-password-file=
filename- read the password from the first line of filename. If the filename is STDIN, the password will be read from the standard input.
-
-fcache-version=
version-number- Create a credentials cache of version version-number.
-a
,-
-extra-addresses=
enctypes- Adds a set of addresses that will, in addition to the systems local
addresses, be put in the ticket. This can be useful if all addresses a
client can use can't be automatically figured out. One such example is if
the client is behind a firewall. Also settable via
libdefaults/extra_addresses
in krb5.conf(5). -A
,-
-no-addresses
- Request a ticket with no addresses.
-
-anonymous
- Request an anonymous ticket (which means that the ticket will be issued to an anonymous principal, typically “anonymous@REALM”).
-
-enterprise
- Parse principal as a enterprise (KRB5-NT-ENTERPRISE) name. Enterprise names are email like principals that are stored in the name part of the principal, and since there are two @ characters the parser needs to know that the first is not a realm. An example of an enterprise name is “lha@e.kth.se@KTH.SE”, and this option is usually used with canonicalize so that the principal returned from the KDC will typically be the real principal name.
-
-afslog
- Gets AFS tickets, converts them to version 4 format, and stores them in the kernel. Only useful if you have AFS.
The forwardable,
proxiable, ticket_life, and
renewable_life options can be set to a default value
from the appdefaults
section in krb5.conf, see
krb5_appdefault(3).
If a command is given,
kinit
will set up new credentials caches, and AFS
PAG, and then run the given command. When it finishes the credentials will
be removed.
ENVIRONMENT¶
KRB5CCNAME
- Specifies the default credentials cache.
KRB5_CONFIG
- The file name of krb5.conf, the default being /etc/krb5.conf.
SEE ALSO¶
kdestroy(1), klist(1), krb5_appdefault(3), krb5.conf(5)April 25, 2006 | HEIMDAL |