Skip site navigation (1)Skip section navigation (2)

FreeBSD Manual Pages

  
 
  

home | help 
KINIT(1)		    General Commands Manual		      KINIT(1)

NAME
       kinit --	acquire	initial	tickets

SYNOPSIS
       kinit	 [--afslog]	[-c	cachename     |	    --cache=cachename]
	     [-f | --no-forwardable] [-t keytabname | --keytab=keytabname] [-l
	     time  |  --lifetime=time]	[-p  |	--proxiable]  [-R  |  --renew]
	     [--renewable]  [-r	 time |	--renewable-life=time] [-S principal |
	     --server=principal]     [-s     time     |	    --start-time=time]
	     [-k   |   --use-keytab]   [-v   |	 --validate]  [-e  enctypes  |
	     --enctypes=enctypes] [-a addresses	| --extra-addresses=addresses]
	     [--password-file=filename]	     [--fcache-version=version-number]
	     [-A  |  --no-addresses]  [--anonymous] [--enterprise] [--version]
	     [--help] [principal [command]]

DESCRIPTION
       kinit is	used to	authenticate to	the Kerberos server as	principal,  or
       if none is given, a system generated default (typically your login name
       at  the	default	 realm), and acquire a ticket granting ticket that can
       later be	used to	obtain tickets for other services.

       Supported options:

       -c cachename --cache=cachename
	       The credentials cache to	put the	acquired ticket	in,  if	 other
	       than default.

       -f --no-forwardable
	       Get  ticket  that  can  be forwarded to another host, or	if the
	       negative	flags use, don't get a forwardable flag.

       -t keytabname, --keytab=keytabname
	       Don't ask for a password, but instead  get  the	key  from  the
	       specified keytab.

       -l time,	--lifetime=time
	       Specifies  the lifetime of the ticket.  The argument can	either
	       be in seconds, or a more	human readable string like `1h'.

       -p, --proxiable
	       Request tickets with the	proxiable flag set.

       -R, --renew
	       Try to renew ticket.  The ticket	must have the `renewable' flag
	       set, and	must not be expired.

       --renewable
	       The same	as --renewable-life, with an infinite time.

       -r time,	--renewable-life=time
	       The max renewable ticket	life.

       -S principal, --server=principal
	       Get a ticket for	a service other	than krbtgt/LOCAL.REALM.

       -s time,	--start-time=time
	       Obtain a	ticket that starts to be valid time (which can	really
	       be  a  generic  time specification, like	`1h') seconds into the
	       future.

       -k, --use-keytab
	       The same	as --keytab, but with the default  keytab  name	 (nor-
	       mally FILE:/etc/krb5.keytab).

       -v, --validate
	       Try to validate an invalid ticket.

       -e, --enctypes=enctypes
	       Request tickets with this particular enctype.

       --password-file=filename
	       read  the  password  from  the  first line of filename.	If the
	       filename	is STDIN, the password will be read from the  standard
	       input.

       --fcache-version=version-number
	       Create a	credentials cache of version version-number.

       -a, --extra-addresses=enctypes
	       Adds  a	set of addresses that will, in addition	to the systems
	       local addresses,	be put in the ticket.  This can	be  useful  if
	       all  addresses  a client	can use	can't be automatically figured
	       out.  One such example is if the	client is behind  a  firewall.
	       Also settable via libdefaults/extra_addresses in	krb5.conf(5).

       -A, --no-addresses
	       Request a ticket	with no	addresses.

       --anonymous
	       Request	an  anonymous ticket (which means that the ticket will
	       be   issued    to    an	  anonymous    principal,    typically
	       "anonymous@REALM").

       --enterprise
	       Parse  principal	as a enterprise	(KRB5-NT-ENTERPRISE) name. En-
	       terprise	names are email	like principals	that are stored	in the
	       name part of the	principal, and since there are two  @  charac-
	       ters  the  parser  needs	to know	that the first is not a	realm.
	       An example of an	enterprise name	is "lha@e.kth.se@KTH.SE",  and
	       this option is usually used with	canonicalize so	that the prin-
	       cipal  returned from the	KDC will typically be the real princi-
	       pal name.

       --afslog
	       Gets AFS	tickets, converts them to version 4 format, and	stores
	       them in the kernel.  Only useful	if you have AFS.

       The forwardable,	proxiable, ticket_life,	and renewable_life options can
       be set to a default value from the appdefaults  section	in  krb5.conf,
       see krb5_appdefault(3).

       If   a  command is given, kinit will set	up new credentials caches, and
       AFS PAG,	and then run the given command.	 When it finishes the  creden-
       tials will be removed.

ENVIRONMENT
       KRB5CCNAME
	       Specifies the default credentials cache.

       KRB5_CONFIG
	       The file	name of	krb5.conf, the default being /etc/krb5.conf.

       KRBTKFILE
	       Specifies the Kerberos 4	ticket file to store version 4 tickets
	       in.

SEE ALSO
       kdestroy(1), klist(1), krb5_appdefault(3), krb5.conf(5)

HEIMDAL				April 25, 2006			      KINIT(1)

Want to link to this manual page? Use this URL:
<https://man.freebsd.org/cgi/man.cgi?query=kinit&sektion=1&manpath=FreeBSD+14.3-RELEASE+and+Ports>

home | help