kinit - Obtains and caches initial ticket granting tickets
(TGTs) and service tickets
/krb5/bin/kinit [-c cachename] [-D] [-d starttime] [-e
etype] [-k [-t keytable]] [-f] [-n] [-p] [-l lifetime]
[-r renewtime] [-v version] [principal]
/krb5/bin/kinit -S service [-c cachename] [-d starttime]
[-f] [-p] [-l lifetime] [-r renewtime]
/krb5/bin/kinit -R [-c cachename]
/krb5/bin/kinit -V [-c cachename]
Specifies the location of the Kerberos credentials cache
file other than the default, which is /krb5/tmp/cc/krb5cc_
uid (where uid represents your user identification
retrieved from the password file), unless the CSFC5CCNAME
environment variable is set to an alternate pathname.
Creates a postdatable TGT. Creates a postdated ticket and
specifies the amount of time before the ticket can be validated.
The syntax of starttime is [#w][#d][#h][#m][#s],
where w = weeks, d = days, h = hours, m = minutes,
and s = seconds. No spaces are allowed unless the
expression is enclosed in quotation marks, and when
spaces are used, numbers must still be adjacent to
their applicable letters. For example, "1w 2d 3h 4m
5s" is acceptable, whereas "1 w 2 h" produces an
error.
By default, a starttime is in hours. If the
requested time period is less than the server's
clock skew value (typically five minutes), the
ticket's start time is set to the current time and
it is issued as if the -d option had not been specified.
Specifies the encryption type for the credentials.
Valid uses for etype are the following:
For DES-CBC-CRC, enter one of the following:
DES-CRC or 1 For DES-CBC-MD5, enter one of the following:
DES or DES-MD5 or 3 For DES3-CBC-MD5, enter one of
the following:
DES3 or DES3-MD5 or 5
By default, type 5 (DES3-CBC-MD5) encryption is
used if the principal has a DES3 key in the security
server principal database. Otherwise, type 3
(DES-CBC-MD5) encryption is used.
The -e option is mutually exclusive with the -k and
-t options. Creates a forwardable TGT. Uses the
service key table file to obtain the ticket rather
than a user-supplied password. Use this option to
check the contents of the default service key table
file called v5srvtab. If you are using a service
key table file other than the default, use the -t
option to identify the name of the service key
table file.
You must be logged on as root to use this option,
because the v5srvtab file is accessible only to
root. Also, the -k option is mutually exclusive
with the -e option. Requests a ticket with a specified
lifetime. You must specify a lifetime, up to
the maximum lifetime set for the principal account
in the principal database; otherwise, the ticket
lifetime is set to the default of 8 hours.
The syntax of lifetime is [#w][#d][#h][#m][#s],
where w = weeks, d = days, h = hours, m = minutes,
and s = seconds. No spaces are allowed unless the
expression is enclosed in quotation marks, and when
spaces are used, numbers must be adjacent to their
applicable letters. For example, "1w 2d 3h 4m 5s"
is acceptable, whereas "1 w 2 d 3 h 4 m 5 s" will
produce an error.
By default, a lifetime is in hours. Skips preauthentication
when obtaining the ticket. By default,
kinit uses preauthentication. Creates a proxiable
ticket. Renews all renewable tickets in the specified
credentials cache. After a ticket is renewed,
its start time is set to the current time and its
end time becomes either the sum of the current time
plus the end time, or the renew time, whichever is
less. The end time, authentication time, and renew
time are not changed on the tickets.
Renewing tickets removes all expired tickets from
the credentials cache. You must renew tickets
before they expire. You cannot renew some tickets
and not others.
This option is valid only by itself or with the -c
option; no password is required. Creates a renewable
ticket with a specified renew time. The syntax
of renewtime is [#w][#d][#h][#m][#s], where w =
weeks, d = days, h = hours, m = minutes, and s =
seconds. No spaces are allowed unless the expression
is enclosed in quotation marks, and when
spaces are used, numbers must be adjacent to their
applicable letters. For example, "1w 2d 3h 4m 5s"
is acceptable, whereas "1 w 2 d 3 h 4 m 5 s" will
produce an error.
By default, a renewtime is in hours. Requests a
ticket for a specified service. A valid TGT must
exist in the user's credentials cache file prior to
using this option or the command will fail. You
must specify a service principal name, where service
is that name.
For example, the following command obtains a service
ticket for the host/server1.company.com principal
in the COMPANY.COM realm:
# kinit -S host/[email protected]
To obtain a service ticket for the local host
principal, enter:
# kinit -S host
Use this command to verify that the host principal
for a user's computer can authenticate as required.
Specifies a service key table file other than the
default, which is /krb5/v5srvtab.
You can only use the -t option with the -k option.
The -k and -t options are mutually exclusive with
the -e option. Validates the tickets in the credentials
cache. Validation succeeds if the current
time is later than the ticket's valid starting time
and before the ticket's expiration time. Using this
option removes all expired tickets from the credentials
cache.
This option is valid only by itself or with the -c
option; no password is required.
Validating postdated tickets makes them active;
services do not accept unvalidated postdated tickets.
Specifies the Kerberos credentials cache version.
The range of valid values is 1 through 4. The
default value is 2. Specifies the name of the
principal for which you want to obtain an initial
ticket (TGT).
The kinit command: Obtains and caches an initial ticket
(TGT). Acquires service tickets. Renews tickets that are
renewable. Validates postdated tickets.
Due to clock skew (the difference allowed between the
clock time of the client and server), the ticket start and
end times might not appear exactly as specified. The clock
skew is five minutes, so a ticket start time might be five
minutes before or after the time you specified.
Tickets with remaining lifetimes that are less than the
clock skew might give unexpected results.
If you request a postdated ticket and the ticket start
time is within the clock skew, the ticket start time is
the current time and the ticket is valid immediately.
To obtain a ticket postdated to start 1 hour from now, has
a lifetime of 15 minutes, that is forwardable, and is for
the principal mary/admin in the default domain COMPANY.COM,
enter:
# kinit -d 1h -l 15m -f mary/[email protected] To
validate the ticket after the start time has passed
and before it expires, enter:
# kinit -V To obtain a ticket with a lifetime of 45
hours and 30 minutes, enter:
# kinit -l 45h30m
ENVIRONMENT VARIABLES [Toc] [Back] CSFC5CCNAME
Controls the credentials cache.
/krb5/tmp/cc/krb5cc_ uid
Default Kerberos credentials cache file.
v5srvtab
Default service key table file.
Commands: kdestroy(1), klist(1), ktutil(1)
kinit(1)
[ Back ] |
