NAME
kinit
kauth
— acquire initial
tickets
SYNOPSIS
kinit |
[-4 | --524init ]
[-9 | --524convert ]
[--afslog ] [-c
cachename |
--cache= cachename]
[-f | --forwardable ]
[-t keytabname |
--keytab= keytabname]
[-l time |
--lifetime= time]
[-p | --proxiable ]
[-R | --renew ]
[--renewable ] [-r
time |
--renewable-life= time]
[-S principal |
--server= principal]
[-s time |
--start-time= time]
[-k | --use-keytab ]
[-v | --validate ]
[-e enctypes |
--enctypes= enctypes]
[-a addresses |
--extra-addresses= addresses]
[--fcache-version= integer]
[-A | --no-addresses ]
[--anonymous ] [--version ]
[--help ] [principal
[command]] |
DESCRIPTION
kinit
is used to authenticate to the
Kerberos server as principal, or if none is given, a
system generated default (typically your login name at the default realm),
and acquire a ticket granting ticket that can later be used to obtain
tickets for other services.
If you have compiled kinit
with Kerberos 4
support and you have a Kerberos 4 server, kinit
will
detect this and get you Kerberos 4 tickets.
Supported options:
-c
cachename--cache=
cachename- The credentials cache to put the acquired ticket in, if other than default.
-f
,--forwardable
- Get ticket that can be forwarded to another host.
-t
keytabname,--keytab=
keytabname- Don't ask for a password, but instead get the key from the specified keytab.
-l
time,--lifetime=
time- Specifies the lifetime of the ticket. The argument can either be in seconds, or a more human readable string like ‘1h’.
-p
,--proxiable
- Request tickets with the proxiable flag set.
-R
,--renew
- Try to renew ticket. The ticket must have the ‘renewable’ flag set, and must not be expired.
--renewable
- The same as
--renewable-life
, with an infinite time. -r
time,--renewable-life=
time- The max renewable ticket life.
-S
principal,--server=
principal- Get a ticket for a service other than krbtgt/LOCAL.REALM.
-s
time,--start-time=
time- Obtain a ticket that starts to be valid time (which can really be a generic time specification, like ‘1h’) seconds into the future.
-k
,--use-keytab
- The same as
--keytab
, but with the default keytab name (normally FILE:/etc/kerberosV/krb5.keytab). -v
,--validate
- Try to validate an invalid ticket.
-e
,--enctypes=
enctypes- Request tickets with this particular enctype.
--fcache-version=
version- Create a credentials cache of version
version
. -a
,--extra-addresses=
enctypes- Adds a set of addresses that will, in addition to the systems local
addresses, be put in the ticket. This can be useful if all addresses a
client can use can't be automatically figured out. One such example is if
the client is behind a firewall. Also settable via
libdefaults/extra_addresses
in krb5.conf(5). -A
,--no-addresses
- Request a ticket with no addresses.
--anonymous
- Request an anonymous ticket (which means that the ticket will be issued to an anonymous principal, typically “anonymous@REALM”).
The following options are only available if
kinit
has been compiled with support for Kerberos
4.
-4
,--524init
- Try to convert the obtained Kerberos 5 krbtgt to a version 4 compatible ticket. It will store this ticket in the default Kerberos 4 ticket file.
-9
,--524convert
- only convert ticket to version 4
--afslog
- Gets AFS tickets, converts them to version 4 format, and stores them in the kernel. Only useful if you have AFS.
The forwardable,
proxiable, ticket_life, and
renewable_life options can be set to a default value
from the appdefaults
section in krb5.conf, see
krb5_appdefault(3).
If a command is given,
kinit
will set up new credentials caches, and AFS
PAG, and then run the given command. When it finishes the credentials will
be removed.
ENVIRONMENT
KRB5CCNAME
- Specifies the default credentials cache.
KRB5_CONFIG
- The file name of krb5.conf, the default being /etc/kerberosV/krb5.conf.
KRBTKFILE
- Specifies the Kerberos 4 ticket file to store version 4 tickets in.