SYNOPSISkinit [--afslog ] [-c cachename | --cache= cachename ] [-f | --forwardable ] [-F | --no-forwardable ] [-t keytabname | --keytab= keytabname ] [-l time | --lifetime= time ] [-p | --proxiable ] [-R | --renew ] [--renewable ] [-r time | --renewable-life= time ] [-S principal | --server= principal ] [-s time | --start-time= time ] [-k | --use-keytab ] [-v | --validate ] [-e enctypes | --enctypes= enctypes ] [-a addresses | --extra-addresses= addresses ] [--password-file= filename ] [--fcache-version= version-number ] [-A | --no-addresses ] [--anonymous ] [--enterprise ] [--version ] [--help ] [principal [command ] ]
DESCRIPTIONkinit is used to authenticate to the Kerberos server as principal or if none is given, a system generated default (typically your login name at the default realm), and acquire a ticket granting ticket that can later be used to obtain tickets for other services.
- -c cachename --cache= cachename
- The credentials cache to put the acquired ticket in, if other than default.
- -f --forwardable
- Obtain a ticket than can be forwarded to another host.
- -F --no-forwardable
- Do not obtain a forwardable ticket.
- -t keytabname , --keytab= keytabname
- Don't ask for a password, but instead get the key from the specified keytab.
- -l time , --lifetime= time
- Specifies the lifetime of the ticket. The argument can either be in seconds, or a more human readable string like `1h'
- -p , --proxiable
- Request tickets with the proxiable flag set.
- -R , --renew
- Try to renew ticket. The ticket must have the `renewable' flag set, and must not be expired.
- The same as --renewable-life with an infinite time.
- -r time , --renewable-life= time
- The max renewable ticket life.
- -S principal , --server= principal
- Get a ticket for a service other than krbtgt/LOCAL.REALM.
- -s time , --start-time= time
- Obtain a ticket that starts to be valid time (which can really be a generic time specification, like `1h' seconds into the future.
- -k , --use-keytab
- The same as --keytab but with the default keytab name (normally FILE:/etc/krb5.keytab )
- -v , --validate
- Try to validate an invalid ticket.
- -e , --enctypes= enctypes
- Request tickets with this particular enctype.
- --password-file= filename
- read the password from the first line of filename If the filename is STDIN the password will be read from the standard input.
- --fcache-version= version-number
- Create a credentials cache of version version-number
- -a , --extra-addresses= enctypes
- Adds a set of addresses that will, in addition to the systems local addresses, be put in the ticket. This can be useful if all addresses a client can use can't be automatically figured out. One such example is if the client is behind a firewall. Also settable via libdefaults/extra_addresses in krb5.conf5.
- -A , --no-addresses
- Request a ticket with no addresses.
- Request an anonymous ticket (which means that the ticket will be issued to an anonymous principal, typically ``[email protected] )''
- Parse principal as a enterprise (KRB5-NT-ENTERPRISE) name. Enterprise names are email like principals that are stored in the name part of the principal, and since there are two @ characters the parser needs to know that the first is not a realm. An example of an enterprise name is ``[email protected]@KTH.SE'' and this option is usually used with canonicalize so that the principal returned from the KDC will typically be the real principal name.
- Gets AFS tickets, converts them to version 4 format, and stores them in the kernel. Only useful if you have AFS.
The forwardable proxiable ticket_life and renewable_life options can be set to a default value from the appdefaults section in krb5.conf, see krb5_appdefault3.
If a command is given, kinit will set up new credentials caches, and AFS PAG, and then run the given command. When it finishes the credentials will be removed.
- Specifies the default credentials cache.
- The file name of krb5.conf the default being /etc/krb5.conf