 |
Index for
Section 1 |
|
 |
Alphabetical
listing for K |
|
 |
Bottom of
page |
|
kinit(1)
NAME
kinit - Obtains and caches initial ticket granting tickets (TGTs) and
service tickets
SYNOPSIS
/krb5/bin/kinit [-c cachename] [-D] [-d starttime] [-e etype] [-k [-t
keytable]] [-f] [-n] [-p] [-l lifetime] [-r renewtime] [-v version]
[principal]
/krb5/bin/kinit -S service [-c cachename] [-d starttime] [-f] [-p] [-l
lifetime] [-r renewtime]
/krb5/bin/kinit -R [-c cachename]
/krb5/bin/kinit -V [-c cachename]
OPTIONS
-c cachename
Specifies the location of the Kerberos credentials cache file other
than the default, which is /krb5/tmp/cc/krb5cc_ uid (where uid
represents your user identification retrieved from the password
file), unless the CSFC5CCNAME environment variable is set to an
alternate pathname.
-D Creates a postdatable TGT.
-d starttime
Creates a postdated ticket and specifies the amount of time before
the ticket can be validated.
The syntax of starttime is [#w][#d][#h][#m][#s], where w = weeks, d
= days, h = hours, m = minutes, and s = seconds. No spaces are
allowed unless the expression is enclosed in quotation marks, and
when spaces are used, numbers must still be adjacent to their
applicable letters. For example, "1w 2d 3h 4m 5s" is acceptable,
whereas "1 w 2 h" produces an error.
By default, a starttime is in hours. If the requested time period
is less than the server's clock skew value (typically five
minutes), the ticket's start time is set to the current time and it
is issued as if the -d option had not been specified.
-e etype
Specifies the encryption type for the credentials. Valid uses for
etype are the following:
· For DES-CBC-CRC, enter one of the following:
DES-CRC or 1
· For DES-CBC-MD5, enter one of the following:
DES or DES-MD5 or 3
· For DES3-CBC-MD5, enter one of the following:
DES3 or DES3-MD5 or 5
By default, type 5 (DES3-CBC-MD5) encryption is used if the
principal has a DES3 key in the security server principal database.
Otherwise, type 3 (DES-CBC-MD5) encryption is used.
The -e option is mutually exclusive with the -k and -t options.
-f Creates a forwardable TGT.
-k Uses the service key table file to obtain the ticket rather than a
user-supplied password. Use this option to check the contents of
the default service key table file called v5srvtab. If you are
using a service key table file other than the default, use the -t
option to identify the name of the service key table file.
You must be logged on as root to use this option, because the
v5srvtab file is accessible only to root. Also, the -k option is
mutually exclusive with the -e option.
-l lifetime
Requests a ticket with a specified lifetime. You must specify a
lifetime, up to the maximum lifetime set for the principal account
in the principal database; otherwise, the ticket lifetime is set to
the default of 8 hours.
The syntax of lifetime is [#w][#d][#h][#m][#s], where w = weeks, d
= days, h = hours, m = minutes, and s = seconds. No spaces are
allowed unless the expression is enclosed in quotation marks, and
when spaces are used, numbers must be adjacent to their applicable
letters. For example, "1w 2d 3h 4m 5s" is acceptable, whereas "1 w
2 d 3 h 4 m 5 s" will produce an error.
By default, a lifetime is in hours.
-n Skips preauthentication when obtaining the ticket. By default,
kinit uses preauthentication.
-p Creates a proxiable ticket.
-R Renews all renewable tickets in the specified credentials cache.
After a ticket is renewed, its start time is set to the current
time and its end time becomes either the sum of the current time
plus the end time, or the renew time, whichever is less. The end
time, authentication time, and renew time are not changed on the
tickets.
Renewing tickets removes all expired tickets from the credentials
cache. You must renew tickets before they expire. You cannot
renew some tickets and not others.
This option is valid only by itself or with the -c option; no
password is required.
-r renewtime
Creates a renewable ticket with a specified renew time. The syntax
of renewtime is [#w][#d][#h][#m][#s], where w = weeks, d = days, h
= hours, m = minutes, and s = seconds. No spaces are allowed unless
the expression is enclosed in quotation marks, and when spaces are
used, numbers must be adjacent to their applicable letters. For
example, "1w 2d 3h 4m 5s" is acceptable, whereas "1 w 2 d 3 h 4 m 5
s" will produce an error.
By default, a renewtime is in hours.
-S service
Requests a ticket for a specified service. A valid TGT must exist
in the user's credentials cache file prior to using this option or
the command will fail. You must specify a service principal name,
where service is that name.
For example, the following command obtains a service ticket for the
host/server1.company.com principal in the COMPANY.COM realm:
# kinit -S host/server1.company.com@COMPANY.COM
To obtain a service ticket for the local host principal, enter:
# kinit -S host
Use this command to verify that the host principal for a user's
computer can authenticate as required.
-t keytable
Specifies a service key table file other than the default, which is
/krb5/v5srvtab.
You can only use the -t option with the -k option.
The -k and -t options are mutually exclusive with the -e option.
-V Validates the tickets in the credentials cache. Validation succeeds
if the current time is later than the ticket's valid starting time
and before the ticket's expiration time. Using this option removes
all expired tickets from the credentials cache.
This option is valid only by itself or with the -c option; no
password is required.
Validating postdated tickets makes them active; services do not
accept unvalidated postdated tickets.
-v version
Specifies the Kerberos credentials cache version. The range of
valid values is 1 through 4. The default value is 2.
principal
Specifies the name of the principal for which you want to obtain an
initial ticket (TGT).
DESCRIPTION
The kinit command:
· Obtains and caches an initial ticket (TGT).
· Acquires service tickets.
· Renews tickets that are renewable.
· Validates postdated tickets.
RESTRICTIONS
Due to clock skew (the difference allowed between the clock time of the
client and server), the ticket start and end times might not appear exactly
as specified. The clock skew is five minutes, so a ticket start time might
be five minutes before or after the time you specified.
Tickets with remaining lifetimes that are less than the clock skew might
give unexpected results.
If you request a postdated ticket and the ticket start time is within the
clock skew, the ticket start time is the current time and the ticket is
valid immediately.
EXAMPLES
1. To obtain a ticket postdated to start 1 hour from now, has a lifetime
of 15 minutes, that is forwardable, and is for the principal
mary/admin in the default domain COMPANY.COM, enter:
# kinit -d 1h -l 15m -f mary/admin@COMPANY.COM
2. To validate the ticket after the start time has passed and before it
expires, enter:
# kinit -V
3. To obtain a ticket with a lifetime of 45 hours and 30 minutes, enter:
# kinit -l 45h30m
ENVIRONMENT VARIABLES
CSFC5CCNAME
Controls the credentials cache.
FILES
/krb5/tmp/cc/krb5cc_ uid
Default Kerberos credentials cache file.
v5srvtab
Default service key table file.
SEE ALSO
Commands: kdestroy(1), klist(1), ktutil(1)
|
Index for
Section 1 |
|
|
Alphabetical
listing for K |
|
 |
Top of
page |
|