Contained Within
Find More Documentation
Featured Support Resources
|  Download this book in PDF (6561 KB)
kinit(1)
Name
| Synopsis
| Description
| Options
| Environment Variables
| Files
| Attributes
| See Also
| Notes
Name
kinit– obtain and cache Kerberos ticket-granting ticket
Synopsis
/usr/bin/kinit [-ARvV] [-p | -P] [-f | -F] [-a] [-c cache_name]
[-k [-t keytab_file]] [-l lifetime]
[-r renewable_life] [-s start_time] [-S service_name]
[principal]
Description
The kinit command is used to obtain and cache an initial ticket-granting ticket (credential) for principal. This ticket is used for authentication by the Kerberos system. Notice that only users with Kerberos principals can use the Kerberos system.
For information about Kerberos principals, see kerberos(5).
When you use kinit without options, the utility prompts for your principal and Kerberos password, and tries to authenticate your login with the local Kerberos server. The principal can be specified on the command line
if desired.
If Kerberos authenticates the login attempt, kinit retrieves your initial ticket-granting ticket and puts it in the ticket cache. By default your ticket will be stored in the file /tmp/krb5cc_uid, where uid specifies
your user identification number. Tickets expire after a specified lifetime, after which kinit must be run again. Any existing contents of the cache are destroyed by kinit.
Values specified in the command line override the values specified in the Kerberos configuration file for lifetime and renewable_life.
The kdestroy(1) command may be used to destroy any active tickets before you end your login session.
Options
The following options are supported:
-
-a
-
Requests tickets with the local addresses.
-
-A
-
Requests address-less tickets.
-
-c cache_name
-
Uses cache_name as the credentials (ticket) cache name and location. If this option is not used, the default cache name and location are used.
-
-f
-
Requests forwardable tickets.
-
-F
-
Not forwardable. Does not request forwardable tickets.
Tickets that have been acquired on one host cannot normally be used on another host. A client can request that the ticket be marked forwardable. Once the TKT_FLG_FORWARDABLE flag is set on a ticket, the user can use this ticket to request a new ticket, but with a different IP address. Thus, users can use their current credentials to get credentials valid on another machine. This option allows a user to explicitly obtain a non-forwardable ticket.
-
-k [-t keytab_file]
-
Requests a host ticket, obtained from a key in the local host's keytab file. The name and location of the keytab file may be specified with the -t keytab_file option. Otherwise, the default name and location
will be used.
-
-l lifetime
-
Requests a ticket with the lifetime lifetime. If the -l option is not specified, the default ticket lifetime (configured by each site) is used. Specifying a ticket lifetime longer than the maximum ticket lifetime (configured by each site)
results in a ticket with the maximum lifetime. See the Time Formats section for the valid time duration formats that you can specify for lifetime. See kdc.conf(4) and kadmin(1M) (for getprinc command to verify the lifetime values for the
server principal).
The lifetime of the tickets returned will be the minimum of the following:
-
Value specified in the command line.
-
Value specified in the KDC configuration file.
-
Value specified in the Kerberos data base for the server principal. In the case of kinit, it is krbtgt/realm name.
-
Value specified in the Kerberos database for the user principal.
-
-p
-
Requests proxiable tickets.
-
-P
-
Not proxiable. Does not request proxiable tickets.
A proxiable ticket is a ticket that allows you to get a ticket for a service with IP addresses other than the ones in the Ticket Granting Ticket. This option allows a user to explicitly obtain a non-proxiable ticket.
-
-r renewable_life
-
Requests renewable tickets, with a total lifetime of renewable_life. See the Time Formats section for the valid time duration formats that you can specify for renewable_life. See kdc.conf(4) and kadmin(1M) (for getprinc command to verify the lifetime values for the server principal).
The renewable lifetime of the tickets returned will be the minimum of the following:
-
Value specified in the command line.
-
Value specified in the KDC configuration file.
-
Value specified in the Kerberos data base for the server principal. In the case of kinit, it is krbtgt/realm name.
-
Value specified in the Kerberos database for the user principal.
-
-R
-
Requests renewal of the ticket-granting ticket. Notice that an expired ticket cannot be renewed, even if the ticket is still within its renewable life.
-
-s start_time
-
Requests a postdated ticket, valid starting at start_time. Postdated tickets are issued with the invalid flag set, and need to be fed back to the KDC before use. See the Time Formats section
for either the valid absolute time or time duration formats that you can specify for start_time. kinit attempts to match an absolute time first before trying to match a time duration.
-
-S service_name
-
Specifies an alternate service name to use when getting initial tickets.
-
-v
-
Requests that the ticket granting ticket in the cache (with the invalid flag set) be passed to the KDC for validation. If the ticket is within its requested time range, the cache is replaced with the validated ticket.
-
-V
-
Verbose output. Displays further information to the user, such as confirmation of authentication and version.
Time Formats
The following absolute time formats can be used for the -s start_time option. The examples are based on the date and time of July 2, 1999, 1:35:30 p.m.
|
Absolute Time Format
|
Example
|
|
yymmddhhmm[ss]
|
990702133530
|
|
hhmm[ss]
|
133530
|
|
yy.mm.dd.hh.mm.ss
|
99:07:02:13:35:30
|
|
hh:mm[:ss]
|
13:35:30
|
|
ldate:ltime
|
07-07-99:13:35:30
|
|
dd-month-yyyy:hh:mm[:ss]
|
02-july-1999:13:35:30
|
|
Variable
|
Description
|
|
dd
|
day
|
|
hh
|
hour (24-hour clock)
|
|
mm
|
minutes
|
|
ss
|
seconds
|
|
yy
|
year within century (0-68 is 2000 to 2068; 69-99 is 1969 to 1999)
|
|
yyyy
|
year including century
|
|
month
|
locale's full or abbreviated month name
|
|
ldate
|
locale's appropriate date representation
|
|
ltime
|
locale's appropriate time representation
|
The following time duration formats can be used for the -l lifetime, -r renewable_life, and -s start_time options. The examples are based on the time duration
of 14 days, 7 hours, 5 minutes, and 30 seconds.
|
Time Duration Format
|
Example
|
|
#d
|
14d
|
|
#h
|
7h
|
|
#m
|
5m
|
|
#s
|
30s
|
|
#d#h#m#s
|
14d7h5m30s
|
|
#h#m[#s]
|
7h5m30s
|
|
days-hh:mm:ss
|
14-07:05:30
|
|
hours:mm[:ss]
|
7:05:30
|
|
Delimiter
|
Description
|
|
d
|
number of days
|
|
h
|
number of hours
|
|
m
|
number of minutes
|
|
s
|
number of seconds
|
|
Variable
|
Description
|
|
#
|
number
|
|
days
|
number of days
|
|
hours
|
number of hours
|
|
hh
|
hour (24-hour clock)
|
|
mm
|
minutes
|
|
ss
|
seconds
|
Environment Variables
Files
-
/tmp/krb5cc_uid
-
Default credentials cache (uid is the decimal UID of the user).
-
/etc/krb5/krb5.keytab
-
Default location for the local host's keytab file.
-
/etc/krb5/krb5.conf
-
Default location for the local host's configuration file. See krb5.conf(4).
Attributes
See attributes(5) for descriptions of the following attributes:
|
ATTRIBUTE TYPE
|
ATTRIBUTE VALUE
|
|
Availability
|
SUNWkrbu
|
|
Interface Stability
|
See below.
|
The command arguments are Evolving. The command output is Unstable.
See Also
Notes
On success, kinit notifies ktkt_warnd(1M) to alert the user when the initial credentials (ticket-granting ticket) are about to expire.
SunOS 5.10 Last Revised 16 Nov 2006
Name
| Synopsis
| Description
| Options
| Environment Variables
| Files
| Attributes
| See Also
| Notes
|
