NAME¶
kinit —
acquire initial tickets
SYNOPSIS¶
kinit |
[--afslog]
[-c cachename |
--cache=cachename]
[-f |
--no-forwardable]
[-t keytabname |
--keytab=keytabname]
[-l time |
--lifetime=time]
[-p |
--proxiable]
[-R |
--renew]
[--renewable]
[-r time |
--renewable-life=time]
[-S principal |
--server=principal]
[-s time |
--start-time=time]
[-k |
--use-keytab]
[-v |
--validate]
[-e enctypes |
--enctypes=enctypes]
[-a addresses |
--extra-addresses=addresses]
[--password-file=filename]
[--fcache-version=version-number]
[-A |
--no-addresses]
[--anonymous]
[--enterprise]
[--version]
[--help]
[principal
[command]] |
DESCRIPTION¶
kinit is used to authenticate to the Kerberos server as
principal, or if none is given, a system generated
default (typically your login name at the default realm), and acquire a ticket
granting ticket that can later be used to obtain tickets for other services.
Supported options:
- -c
cachename
--cache=cachename
- The credentials cache to put the acquired ticket in, if
other than default.
- -f
--no-forwardable
- Get ticket that can be forwarded to another host, or if the
negative flags use, don't get a forwardable flag.
- -t
keytabname,
--keytab=keytabname
- Don't ask for a password, but instead get the key from the
specified keytab.
- -l
time,
--lifetime=time
- Specifies the lifetime of the ticket. The argument can
either be in seconds, or a more human readable string like
‘1h’.
- -p,
--proxiable
- Request tickets with the proxiable flag set.
- -R,
--renew
- Try to renew ticket. The ticket must have the
‘renewable’ flag set, and must not be expired.
- --renewable
- The same as
--renewable-life, with an infinite
time.
- -r
time,
--renewable-life=time
- The max renewable ticket life.
- -S
principal,
--server=principal
- Get a ticket for a service other than
krbtgt/LOCAL.REALM.
- -s
time,
--start-time=time
- Obtain a ticket that starts to be valid
time (which can really be a generic time
specification, like ‘1h’) seconds into the future.
- -k,
--use-keytab
- The same as --keytab,
but with the default keytab name (normally
FILE:/etc/krb5.keytab).
- -v,
--validate
- Try to validate an invalid ticket.
- -e,
--enctypes=enctypes
- Request tickets with this particular enctype.
- --password-file=filename
- read the password from the first line of
filename. If the filename is
STDIN, the password will be read from the standard
input.
- --fcache-version=version-number
- Create a credentials cache of version
version-number.
- -a,
--extra-addresses=enctypes
- Adds a set of addresses that will, in addition to the
systems local addresses, be put in the ticket. This can be useful if all
addresses a client can use can't be automatically figured out. One such
example is if the client is behind a firewall. Also settable via
libdefaults/extra_addresses
in
krb5.conf(5).
- -A,
--no-addresses
- Request a ticket with no addresses.
- --anonymous
- Request an anonymous ticket (which means that the ticket
will be issued to an anonymous principal, typically
“anonymous@REALM”).
- --enterprise
- Parse principal as a enterprise (KRB5-NT-ENTERPRISE) name.
Enterprise names are email like principals that are stored in the name
part of the principal, and since there are two @ characters the parser
needs to know that the first is not a realm. An example of an enterprise
name is “lha@e.kth.se@KTH.SE”, and this option is usually used
with canonicalize so that the principal returned from the KDC will
typically be the real principal name.
- --afslog
- Gets AFS tickets, converts them to version 4 format, and
stores them in the kernel. Only useful if you have AFS.
The
forwardable,
proxiable,
ticket_life, and
renewable_life
options can be set to a default value from the
appdefaults
section in krb5.conf, see
krb5_appdefault(3).
If a
command is given,
kinit will set up
new credentials caches, and AFS PAG, and then run the given command. When it
finishes the credentials will be removed.
ENVIRONMENT¶
KRB5CCNAME
- Specifies the default credentials cache.
KRB5_CONFIG
- The file name of krb5.conf, the default
being /etc/krb5.conf.
KRBTKFILE
- Specifies the Kerberos 4 ticket file to store version 4
tickets in.
SEE ALSO¶
kdestroy(1),
klist(1),
krb5_appdefault(3),
krb5.conf(5)