Manual browser: kinit(1)

KINIT(1)

General Commands Manual

KINIT(1)

NAME

kinit — acquire initial tickets

SYNOPSIS

kinit

[--afslog] [-c cachename | --cache=cachename] [-f | --no-forwardable] [-t keytabname | --keytab=keytabname] [-l time | --lifetime=time] [-p | --proxiable] [-R | --renew] [--renewable] [-r time | --renewable-life=time] [-S principal | --server=principal] [-s time | --start-time=time] [-k | --use-keytab] [-v | --validate] [-e enctypes | --enctypes=enctypes] [-a addresses | --extra-addresses=addresses] [--password-file=filename] [--fcache-version=version-number] [-A | --no-addresses] [--anonymous] [--enterprise] [--version] [--help] [principal [command]]

DESCRIPTION

kinit is used to authenticate to the Kerberos server as principal, or if none is given, a system generated default (typically your login name at the default realm), and acquire a ticket granting ticket that can later be used to obtain tickets for other services.

Supported options:

-c cachename --cache=cachename: The credentials cache to put the acquired ticket in, if other than default.
-f --no-forwardable: Get ticket that can be forwarded to another host, or if the negative flags use, don't get a forwardable flag.
-t keytabname, --keytab=keytabname: Don't ask for a password, but instead get the key from the specified keytab.
-l time, --lifetime=time: Specifies the lifetime of the ticket. The argument can either be in seconds, or a more human readable string like ‘1h’.
-p, --proxiable: Request tickets with the proxiable flag set.
-R, --renew: Try to renew ticket. The ticket must have the ‘renewable’ flag set, and must not be expired.
--renewable: The same as --renewable-life, with an infinite time.
-r time, --renewable-life=time: The max renewable ticket life.
-S principal, --server=principal: Get a ticket for a service other than krbtgt/LOCAL.REALM.
-s time, --start-time=time: Obtain a ticket that starts to be valid time (which can really be a generic time specification, like ‘1h’) seconds into the future.
-k, --use-keytab: The same as --keytab, but with the default keytab name (normally FILE:/etc/krb5.keytab).
-v, --validate: Try to validate an invalid ticket.
-e, --enctypes=enctypes: Request tickets with this particular enctype.
--password-file=filename: read the password from the first line of filename. If the filename is STDIN, the password will be read from the standard input.
--fcache-version=version-number: Create a credentials cache of version version-number.
-a, --extra-addresses=enctypes: Adds a set of addresses that will, in addition to the systems local addresses, be put in the ticket. This can be useful if all addresses a client can use can't be automatically figured out. One such example is if the client is behind a firewall. Also settable via libdefaults/extra_addresses in krb5.conf(5).
-A, --no-addresses: Request a ticket with no addresses.
--anonymous: Request an anonymous ticket (which means that the ticket will be issued to an anonymous principal, typically “anonymous@REALM”).
--enterprise: Parse principal as a enterprise (KRB5-NT-ENTERPRISE) name. Enterprise names are email like principals that are stored in the name part of the principal, and since there are two @ characters the parser needs to know that the first is not a realm. An example of an enterprise name is “lha@e.kth.se@KTH.SE”, and this option is usually used with canonicalize so that the principal returned from the KDC will typically be the real principal name.
--afslog: Gets AFS tickets, converts them to version 4 format, and stores them in the kernel. Only useful if you have AFS.

The forwardable, proxiable, ticket_life, and renewable_life options can be set to a default value from the appdefaults section in krb5.conf, see krb5_appdefault(3).

If a command is given, kinit will set up new credentials caches, and AFS PAG, and then run the given command. When it finishes the credentials will be removed.

Manual browser: kinit(1)

NAME

SYNOPSIS

DESCRIPTION

ENVIRONMENT

SEE ALSO