1 <!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 3.2 Final//EN">
4 <meta http-equiv="Content-Type"
5 content="text/html; charset=Windows-1252">
6 <title>KINIT Command</title>
8 <body bgcolor="#ffffff" text="#000000">
9 <object type="application/x-oleobject"
10 classid="clsid:1e2a7bd0-dab9-11d0-b93a-00c04fc99f9e"> <param
11 name="Keyword" value="kinit, man">
13 <p><h2><a name="id_help_kinit"></a>KINIT Command</h2></p>
14 <p>(from UNIX man page)</p>
15 <pre><code>User Commands KINIT(1)<br><br>NAME<br> kinit - obtain and cache Kerberos ticket-granting ticket<br><br>SYNOPSIS<br> kinit<br> [-5] [-4] [-V] [-l lifetime] [-s start_time] [-r<br> renewable_life] [-p | -P] [-f | -F] [-A] [-v] [-R] [-k<br> [-t keytab_file]] [-c cache_name] [-S service_name]<br> [principal]<br><br>DESCRIPTION<br> kinit obtains and caches an initial ticket-granting ticket<br> for principal.Thetypicaldefaultbehavior Kerberos 5 tickets.<br> However, if kinit was built with both Kerberos 4 support and<br> with the default behavior of acquiring both types of tick-<br> ets, it will try to acquire both Kerberos 5 and Kerberos 4<br> by default. Any documentation particular to Kerberos 4 does<br> not apply if Kerberos 4 support was not built into kinit.<br><br>OPTIONS<br> -5 get Kerberos 5 tickets. This overrides whatever the<br> default built-in behavior may be. This option may be<br> used with -4<br><br> -4 get Kerberos 4 tickets. This overrides whatever the<br> default built-in behavior may be. This option is only<br> available if kinit was built with Kerberos 4 compati-<br> bility. This option may be used with -5<br><br> -V display verbose output.<br><br> -l lifetime<br> requests a ticket with the lifetime lifetime. The<br> value for lifetime must be followed immediately by one<br> of the following delimiters:<br><br> s seconds<br> m minutes<br> h hours<br> d days<br><br> as in "kinit -l 90m". You cannot mix units; a value of<br> `3h30m' will result in an error.<br><br> If the -l option is not specified, the default ticket<br> lifetime (configured by each site) is used. Specifying<br> a ticket lifetime longer than the maximum ticket life-<br> time (configured by each site) results in a ticket with<br> the maximum lifetime.<br><br> -s start_time<br> requests a postdated ticket, valid starting at<br> start_time. Postdated tickets are issued with the<br> invalid flag set, and need to be fed back to the kdc<br> before use. (Not applicaple to Kerberos 4.)<br><br> -r renewable_life<br> requests renewable tickets, with a total lifetime of<br> renewable_life. The duration is in the same format as<br> the -l option, with the same delimiters. (Not applica-<br> ple to Kerberos 4.)<br><br> -f request forwardable tickets. (Not applicaple to Ker-<br> beros 4.)<br><br> -F do not request forwardable tickets. (Not applicaple to<br> Kerberos 4.)<br><br> -p request proxiable tickets. (Not applicaple to Kerberos<br> 4.)<br><br> -P do not request proxiable tickets. (Not applicaple to<br> Kerberos 4.)<br><br> -A request address-less tickets. (Not applicaple to Ker-<br> beros 4.)<br><br> -v requests that the ticket granting ticket in the cache<br> (with the invalid flag set) be passed to the kdc for<br> validation. If the ticket is within its requested time<br> range, the cache is replaced with the validated ticket.<br> (Not applicaple to Kerberos 4.)<br><br> -R requests renewal of the ticket-granting ticket. Note<br> that an expired ticket cannot be renewed, even if the<br> ticket is still within its renewable life. When using<br> this option with Kerberos 4, the kdc must support Ker-<br> beros 5 to Kerberos 4 ticket conversion.<br><br> -k [-t keytab_file]<br> requests a host ticket, obtained from a key in the<br> local host's keytab file. The name and location of the<br> keytab file may be specified with the -t keytab_file<br> option; otherwise the default name and location will be<br> used. When using this option with Kerberos 4, the kdc<br> must support Kerberos 5 to Kerberos 4 ticket conver-<br> sion.<br><br> -c cache_name<br> use cache_name as the Kerberos 5 credentials (ticket)<br> cache name and location; if this option is not used,<br> the default cache name and location are used.<br><br> The default credentials cache may vary between systems.<br><br> If the KRB5CCNAME environment variable is set, its<br> value is used to name the default ticket cache. Any<br> existing contents of the cache are destroyed by kinit.<br> (Note: The default name for Kerberos 4 comes from the<br> KRBTKFILE environment variable. This option does not<br> apply to Kerberos 4.)<br><br> -S service_name<br> specify an alternate service name to use when getting<br> initial tickets. (Applicable to Kerberos 5 or if using<br> both Kerberos 5 and Kerberos 4 with a kdc that supports<br> Kerberos 5 to Kerberos 4 ticket conversion.)<br><br>ENVIRONMENT<br> Kinit uses the following environment variables:<br><br> KRB5CCNAME Location of the Kerberos 5 credentials<br> (ticket) cache.<br><br> KRBTKFILE Filename of the Kerberos 4 credentials<br> (ticket) cache.<br><br>FILES<br> /tmp/krb5cc_[uid] default location of Kerberos 5 creden-<br> tials cache ([uid] is the decimal UID of<br> the user).<br><br> /tmp/tkt[uid] default location of Kerberos 4 credentials<br> cache ([uid] is the decimal UID of the user).<br><br> /etc/krb5.keytab<br> default location for the local host's keytab<br> file.<br><br>SEE ALSO<br> klist(1), kdestroy(1), krb5(3)<br><br><br></code></pre>