Name
kinit - obtain and cache Kerberos ticket-granting tickets
Synopsis
Initial ticket request:
kinit
[-A
] [-f
]
[-p
] [-c
cache_name] [-l
lifetime] [-r
renewable_time]
[[-k
[-t
keytab_file_name]]
[principal] [password]
Renew a ticket:
kinit
-R
[-c
cache_name] [principal]
Description
This tool is similar in functionality to the kinit
tool
that is commonly found in other Kerberos implementations, such as SEAM
and MIT Reference implementations. The user must be registered as a
principal with the Key Distribution Center (KDC) prior to running
kinit
.
By default, on Windows, a cache file named
USER_HOME\krb5cc_
USER_NAME is
generated.
The identifier USER_HOME is obtained from the
java.lang.System
property user.home
.
USER_NAME is obtained from the java.lang.System
property user.name
. If USER_HOME is null, the
cache file is stored in the current directory from which the program is
running. USER_NAME is the operating system's login user name.
This user name could be different than the user's principal name. For
example, on Windows, the cache file could be
C:\Windows\Users\duke\krb5cc_duke
, in which
duke
is the USER_NAME and
C:\Windows\Users\duke
is the USER_HOME.
By default, the keytab name is retrieved from the Kerberos
configuration file. If the keytab name isn't specified in the Kerberos
configuration file, the kinit tool assumes that the name is
USER_HOME\krb5.keytab
If you don't specify the password using the password option
on the command line, the kinit
tool prompts you for the
password.
Note:
The password
option is provided only for testing
purposes. Don't specify your password in a script or provide your
password on the command line. Doing so will compromise your
password.
Commands
You can specify one of the following commands. After the command, specify the options for it.
-A
- Doesn't include addresses.
-f
- Issues a forwardable ticket.
-p
- Issues a proxiable ticket.
-c
cache_name-
The cache name (for example,
FILE:D:\temp\mykrb5cc
). -l
lifetime- Sets the lifetime of a ticket. The value can be one of "h:m[:s]", "NdNhNmNs", and "N". See the MIT krb5 Time Duration definition for more information.
-r
renewable_time- Sets the total lifetime that a ticket can be renewed.
-R
- Renews a ticket.
-k
- Uses keytab
-t
keytab_filename-
The keytab name (for example,
D:\winnt\profiles\duke\krb5.keytab
). - principal
-
The principal name (for example,
duke@example.com
). - password
- The principal's Kerberos password. Don't specify this on the command line or in a script.
Run kinit -help
to display the instructions above.
Examples
Requests credentials valid for authentication from the current client
host, for the default services, storing the credentials cache in the
default location (C:\Windows\Users\duke\krb5cc_duke
):
kinit duke@example.com
Requests proxiable credentials for a different principal and store these credentials in a specified file cache:
kinit -l 1h -r 10h duke@example.com
Requests a TGT for the specified principal that will expire in 1 hour but is renewable for up to 10 hours. Users must renew a ticket before it has expired. The renewed ticket can be renewed repeatedly within 10 hours from its initial request.
kinit -R duke@example.com
Renews an existing renewable TGT for the specified principal.
kinit -p -c FILE:C:\Windows\Users\duke\credentials\krb5cc_cafebeef cafebeef@example.com
Requests proxiable and forwardable credentials for a different principal and stores these credentials in a specified file cache:
kinit -f -p -c FILE:C:\Windows\Users\duke\credentials\krb5cc_cafebeef cafebeef@example.com
Displays the help menu for the kinit
tool:
kinit -help