table of contents
| KINIT(1) | General Commands Manual | KINIT(1) |
NAME¶
kinit —
acquire initial tickets
SYNOPSIS¶
kinit |
[--afslog-c
cachename |
-
-cache=cachename-f |
--no-forwardable-t
keytabname |
--keytab=keytabname-l
time |
-
-lifetime=time-p |
--proxiable-R |
--renew--renewable-r
time |
-
-renewable-life=time-S
principal |
-
-server=principal-s
time |
-
-start-time=time-k |
--use-keytab-v |
--validate-e
enctypes |
-
-enctypes=enctypes-a
addresses |
-
-extra-addresses=addresses--password-file=filename--fcache-version=version-number-A |
--no-addresses--anonymous--enterprise--version--helpprincipal
[ ]command ] |
DESCRIPTION¶
kinit is used to authenticate to the Kerberos
server as principal, or if none is given, a
system generated default (typically your login name at the default realm), and
acquire a ticket granting ticket that can later be used to obtain tickets for
other services.
Supported options:
-ccachename--cache=cachename- The credentials cache to put the acquired ticket in, if other than default.
-f--forwardable- Obtain a ticket than can be forwarded to another host.
-F--no-forwardable- Do not obtain a forwardable ticket.
-tkeytabname,--keytab=keytabname- Don't ask for a password, but instead get the key from the specified keytab.
-ltime,--lifetime=time- Specifies the lifetime of the ticket. The argument can either be in seconds, or a more human readable string like ‘1h’.
-p,--proxiable- Request tickets with the proxiable flag set.
-R,--renew- Try to renew ticket. The ticket must have the ‘renewable’ flag set, and must not be expired.
--renewable- The same as
--renewable-life, with an infinite time. -rtime,--renewable-life=time- The max renewable ticket life.
-Sprincipal,--server=principal- Get a ticket for a service other than krbtgt/LOCAL.REALM.
-stime,--start-time=time- Obtain a ticket that starts to be valid time (which can really be a generic time specification, like ‘1h’) seconds into the future.
-k,--use-keytab- The same as
--keytab, but with the default keytab name (normally FILE:/etc/krb5.keytab). -v,--validate- Try to validate an invalid ticket.
-e,--enctypes=enctypes- Request tickets with this particular enctype.
--password-file=filename- read the password from the first line of filename. If the filename is STDIN, the password will be read from the standard input.
--fcache-version=version-number- Create a credentials cache of version version-number.
-a,--extra-addresses=enctypes- Adds a set of addresses that will, in addition to the systems local
addresses, be put in the ticket. This can be useful if all addresses a
client can use can't be automatically figured out. One such example is if
the client is behind a firewall. Also settable via
libdefaults/extra_addressesin krb5.conf(5). -A,--no-addresses- Request a ticket with no addresses.
--anonymous- Request an anonymous ticket (which means that the ticket will be issued to an anonymous principal, typically “anonymous@REALM”).
--enterprise- Parse principal as a enterprise (KRB5-NT-ENTERPRISE) name. Enterprise names are email like principals that are stored in the name part of the principal, and since there are two @ characters the parser needs to know that the first is not a realm. An example of an enterprise name is “lha@e.kth.se@KTH.SE”, and this option is usually used with canonicalize so that the principal returned from the KDC will typically be the real principal name.
--afslog- Gets AFS tickets, converts them to version 4 format, and stores them in the kernel. Only useful if you have AFS.
appdefaults section
in krb5.conf, see krb5_appdefault(3).
If a command is given,
kinit will set up new credentials caches,
and AFS PAG, and then run the given command. When it finishes the credentials
will be removed.
ENVIRONMENT¶
KRB5CCNAME- Specifies the default credentials cache.
KRB5_CONFIG- The file name of krb5.conf, the default being /etc/krb5.conf.
KRBTKFILE- Specifies the Kerberos 4 ticket file to store version 4 tickets in.
SEE ALSO¶
kdestroy(1), klist(1), krb5_appdefault(3), krb5.conf(5)| April 25, 2006 | HEIMDAL |