1KINIT(1)                  BSD General Commands Manual                 KINIT(1)
2

NAME

4     kinit — acquire initial tickets
5

SYNOPSIS

7     kinit [--afslog] [-c cachename | --cache=cachename] [-f | --forwardable]
8           [-F | --no-forwardable] [-t keytabname | --keytab=keytabname] [-l
9           time | --lifetime=time] [-p | --proxiable] [-R | --renew]
10           [--renewable] [-r time | --renewable-life=time] [-S principal |
11           --server=principal] [-s time | --start-time=time]
12           [-k | --use-keytab] [-v | --validate] [-e enctypes |
13           --enctypes=enctypes] [-a addresses | --extra-addresses=addresses]
14           [--password-file=filename] [--fcache-version=version-number]
15           [-A | --no-addresses] [-n | --anonymous] [--enterprise] [--version]
16           [--help] [principal [command]]
17

DESCRIPTION

19     kinit is used to authenticate to the Kerberos server as principal, or if
20     none is given, a system generated default (typically your login name at
21     the default realm), and acquire a ticket granting ticket that can later
22     be used to obtain tickets for other services.
23
24     Supported options:
25
26     -c cachename --cache=cachename
27             The credentials cache to put the acquired ticket in, if other
28             than default.
29
30     -f --forwardable
31             Obtain a ticket than can be forwarded to another host.
32
33     -F --no-forwardable
34             Do not obtain a forwardable ticket.
35
36     -t keytabname, --keytab=keytabname
37             Don't ask for a password, but instead get the key from the speci‐
38             fied keytab.
39
40     -l time, --lifetime=time
41             Specifies the lifetime of the ticket.  The argument can either be
42             in seconds, or a more human readable string like ‘1h’.
43
44     -p, --proxiable
45             Request tickets with the proxiable flag set.
46
47     -R, --renew
48             Try to renew ticket.  The ticket must have the ‘renewable’ flag
49             set, and must not be expired.
50
51     --renewable
52             The same as --renewable-life, with an infinite time.
53
54     -r time, --renewable-life=time
55             The max renewable ticket life.
56
57     -S principal, --server=principal
58             Get a ticket for a service other than krbtgt/LOCAL.REALM.
59
60     -s time, --start-time=time
61             Obtain a ticket that starts to be valid time (which can really be
62             a generic time specification, like ‘1h’) seconds into the future.
63
64     -k, --use-keytab
65             The same as --keytab, but with the default keytab name (normally
66             FILE:/etc/krb5.keytab).
67
68     -v, --validate
69             Try to validate an invalid ticket.
70
71     -e, --enctypes=enctypes
72             Request tickets with this particular enctype.
73
74     --password-file=filename
75             read the password from the first line of filename.  If the
76             filename is STDIN, the password will be read from the standard
77             input.
78
79     --fcache-version=version-number
80             Create a credentials cache of version version-number.
81
82     -a, --extra-addresses=enctypes
83             Adds a set of addresses that will, in addition to the systems lo‐
84             cal addresses, be put in the ticket.  This can be useful if all
85             addresses a client can use can't be automatically figured out.
86             One such example is if the client is behind a firewall.  Also
87             settable via libdefaults/extra_addresses in krb5.conf(5).
88
89     -A, --no-addresses
90             Request a ticket with no addresses.
91
92     -n, --anonymous
93             Request an anonymous ticket.  With the default (false) setting of
94             the historical_anon_pkinit configuration parameter, if the prin‐
95             cipal is specified as @REALM, then anonymous PKINIT will be used
96             to acquire an unauthenticated anonymous ticket and both the
97             client name and (with fully RFC-comformant KDCs) realm in the re‐
98             turned ticket will be anonymized.  Otherwise, authentication pro‐
99             ceeds as normal and the anonymous ticket will have only the
100             client name anonymized.  With historical_anon_pkinit set to true,
101             the principal is interpreted as a realm even without an at-sign
102             prefix, and it is not possible to obtain authenticated anonymized
103             tickets.
104
105     --enterprise
106             Parse principal as a enterprise (KRB5-NT-ENTERPRISE) name. Enter‐
107             prise names are email like principals that are stored in the name
108             part of the principal, and since there are two @ characters the
109             parser needs to know that the first is not a realm.  An example
110             of an enterprise name is “lha@e.kth.se@KTH.SE”, and this option
111             is usually used with canonicalize so that the principal returned
112             from the KDC will typically be the real principal name.
113
114     --afslog
115             Gets AFS tickets, converts them to version 4 format, and stores
116             them in the kernel.  Only useful if you have AFS.
117
118     The forwardable, proxiable, ticket_life, and renewable_life options can
119     be set to a default value from the appdefaults section in krb5.conf, see
120     krb5_appdefault(3).
121
122     If  a command is given, kinit will set up new credentials caches, and AFS
123     PAG, and then run the given command.  When it finishes the credentials
124     will be removed.
125

ENVIRONMENT

127     KRB5CCNAME
128             Specifies the default credentials cache.
129
130     KRB5_CONFIG
131             The file name of krb5.conf, the default being /etc/krb5.conf.
132

SEE ALSO

134     kdestroy(1), klist(1), krb5_appdefault(3), krb5.conf(5)
135
136HEIMDAL                         April 25, 2006                         HEIMDAL
Impressum