unixdev.net


Switch to SpeakEasy.net DSL

The Modular Manual Browser

Home Page
Manual: (SunOS-5.10)
Page:
Section:
Apropos / Subsearch:
optional field

kinit(1)                         User Commands                        kinit(1)



NAME
       kinit - obtain and cache Kerberos ticket-granting ticket

SYNOPSIS
       /usr/bin/kinit  [-ARvV]  [-p  |  -P]   [-f  | -F]  [-c cache_name] [ -k
       [-t keytab_file]]  [-l lifetime]  [-r renewable_life]   [-s start_time]
       [-S service_name] [principal]

DESCRIPTION
       The  kinit command is used to obtain and cache an initial ticket-grant-
       ing ticket (credential) for principal. This ticket is used for  authen-
       tication  by  the Kerberos system. Notice that only users with Kerberos
       principals can use the Kerberos system. For information about  Kerberos
       principals, see SEAM(5).

       When  you use kinit without options, the utility prompts for your prin-
       cipal and Kerberos password, and tries to authenticate your login  with
       the  local  Kerberos server. The principal can be specified on the com-
       mand line if desired.

       If Kerberos authenticates the login attempt, kinit retrieves your  ini-
       tial ticket-granting ticket and puts it in the ticket cache. By default
       your ticket will be stored in the file /tmp/krb5cc_uid, where uid spec-
       ifies your user identification number. Tickets expire after a specified
       lifetime, after which kinit must be run again. Any existing contents of
       the cache are destroyed by kinit.

       Values  specified  in the command line override the values specified in
       the Kerberos configuration file for lifetime and renewable_life.

       The kdestroy(1) command may be  used  to  destroy  any  active  tickets
       before you end your login session.

OPTIONS
       The following options are supported:

       -A                      Requests address-less tickets.



       -c cache_name           Uses  cache_name  as  the  credentials (ticket)
                               cache name and location. If this option is  not
                               used,  the  default cache name and location are
                               used.



       -f                      Requests forwardable tickets.



       -F                      Not forwardable. Does not  request  forwardable
                               tickets.

                               Tickets  that  have  been  acquired on one host
                               cannot normally be  used  on  another  host.  A
                               client  can  request  that the ticket be marked
                               forwardable. Once the TKT_FLG_FORWARDABLE  flag
                               is  set  on  a  ticket,  the  user can use this
                               ticket to request a new ticket, but with a dif-
                               ferent  IP  address.  Thus, users can use their
                               current credentials to get credentials valid on
                               another  machine.  This option allows a user to
                               explicitly obtain a non-forwardable ticket.



       -k [-t keytab_file]     Requests a host ticket, obtained from a key  in
                               the  local  host's  keytab  file.  The name and
                               location of the keytab file  may  be  specified
                               with  the -t keytab_file option. Otherwise, the
                               default name and location will be used.



       -l lifetime             Requests a ticket with the  lifetime  lifetime.
                               If  the -l option is not specified, the default
                               ticket lifetime (configured by  each  site)  is
                               used.  Specifying a ticket lifetime longer than
                               the maximum ticket lifetime (configured by each
                               site)  results  in  a  ticket  with the maximum
                               lifetime. See the Time Formats section for  the
                               valid  time duration formats that you can spec-
                               ify for  lifetime.  See  kdc.conf(4)  and  kad-
                               min(1M)  (for  getprinc  command  to verify the
                               lifetime values for the server principal).

                               The lifetime of the tickets  returned  will  be
                               the minimum of the following:


                                 o  Value specified in the command line.

                                 o  Value  specified  in the KDC configuration
                                    file.

                                 o  Value specified in the Kerberos data  base
                                    for  the  server principal. In the case of
                                    kinit, it is krbtgt/realm name.

                                 o  Value specified in the  Kerberos  database
                                    for the user principal.



       -p                      Requests proxiable tickets.



       -P                      Not proxiable. Does not request proxiable tick-
                               ets.

                               A proxiable ticket is a ticket that allows  you
                               to get a ticket for a service with IP addresses
                               other than the  ones  in  the  Ticket  Granting
                               Ticket. This option allows a user to explicitly
                               obtain a non-proxiable ticket.



       -r renewable_life       Requests renewable tickets, with a total  life-
                               time  of  renewable_life.  See the Time Formats
                               section for the  valid  time  duration  formats
                               that  you  can  specify for renewable_life. See
                               kdc.conf(4) and kadmin(1M) (for  getprinc  com-
                               mand  to  verify  the  lifetime  values for the
                               server principal).

                               The renewable lifetime of the tickets  returned
                               will be the minimum of the following:


                                 o  Value specified in the command line.

                                 o  Value  specified  in the KDC configuration
                                    file.

                                 o  Value specified in the Kerberos data  base
                                    for  the  server principal. In the case of
                                    kinit, it is krbtgt/realm name.

                                 o  Value specified in the  Kerberos  database
                                    for the user principal.



       -R                      Requests renewal of the ticket-granting ticket.
                               Notice  that  an  expired  ticket   cannot   be
                               renewed, even if the ticket is still within its
                               renewable life.



       -s start_time           Requests a postdated ticket, valid starting  at
                               start_time.  Postdated  tickets are issued with
                               the invalid flag set, and need to be  fed  back
                               to  the  KDC  before  use. See the Time Formats
                               section for either the valid absolute  time  or
                               time  duration formats that you can specify for
                               start_time. kinit attempts to match an absolute
                               time  first before trying to match a time dura-
                               tion.



       -S service_name         Specifies an alternate service name to use when
                               getting initial tickets.



       -v                      Requests that the ticket granting ticket in the
                               cache (with the invalid flag set) be passed  to
                               the KDC for validation. If the ticket is within
                               its requested time range, the cache is replaced
                               with the validated ticket.



       -V                      Verbose output. Displays further information to
                               the user, such as confirmation  of  authentica-
                               tion and version.



   Time Formats
       The  following  absolute time formats can be used for the -s start_time
       option. The examples are based on the date and time of  July  2,  1999,
       1:35:30 p.m.


       tab()  box;  lw(2.750000i)| lw(2.750000i).  Absolute Time FormatExample
       yymmddhhmm[ss]990702133530                               hhmm[ss]133530
       yy.mm.dd.hh.mm.ss99:07:02:13:35:30                   hh:mm[:ss]13:35:30
       ldate:ltime07-07-99:13:35:30                                  dd-month-
       yyyy:hh:mm[:ss]02-july-1999:13:35:30



       tab();  lw(2.750000i)  lw(2.750000i).  VariableDescription ddday hhhour
       (24-hour clock) mmminutes ssseconds yyT{ year within century  (0-68  is
       2000 to 2068; 69-99 is 1969 to 1999) T} yyyyyear including century mon-
       thT{ locale's full or abbreviated month name T} ldateT{ locale's appro-
       priate  date representation T} ltimeT{ locale's appropriate time repre-
       sentation T}


       The following time duration formats can be used for the -l lifetime, -r
       renewable_life,  and  -s  start_time options. The examples are based on
       the time duration of 14 days, 7 hours, 5 minutes, and 30 seconds.


       tab() box; lw(2.750000i)| lw(2.750000i).  Time  Duration  FormatExample
       #d14d   #h7h   #m5m   #s30s  #d#h#m#s14d7h5m30s  #h#m[#s]7h5m30s  days-
       hh:mm:ss14-07:05:30 hours:mm[:ss]7:05:30



       tab(); lw(2.750000i) lw(2.750000i).   DelimiterDescription  dnumber  of
       days hnumber of hours mnumber of minutes snumber of seconds



       tab();   lw(2.750000i)   lw(2.750000i).    VariableDescription  #number
       daysnumber of days hoursnumber of hours hhhour (24-hour  clock)  mmmin-
       utes ssseconds


ENVIRONMENT VARIABLES
       kinit uses the following environment variable:

       KRB5CCNAME              Location of the credentials (ticket) cache. See
                               krb5envvar(5) for syntax and details.



FILES
       /tmp/krb5cc_uid         Default credentials cache (uid is  the  decimal
                               UID of the user).



       /etc/krb5/krb5.keytab   Default  location  for  the local host's keytab
                               file.



       /etc/krb5/krb5.conf     Default location for the local host's  configu-
                               ration file. See krb5.conf(4).



ATTRIBUTES
       See attributes(5) for descriptions of the following attributes:


       tab()     allbox;     cw(2.750000i)|    cw(2.750000i)    lw(2.750000i)|
       lw(2.750000i).   ATTRIBUTE  TYPEATTRIBUTE  VALUE   AvailabilitySUNWkrbu
       Interface StabilitySee below.


       The command arguments are Evolving. The command output is Unstable.

SEE ALSO
       kdestroy(1),   klist(1),   kadmin(1M),   ktkt_warnd(1M),   kdc.conf(4),
       krb5.conf(4), attributes(5), krb5envvar(5), pam_krb5(5), SEAM(5)

AUTHORS
       Steve Miller, MIT Project Athena/Digital Equipment  Corporation;  Clif-
       ford Neuman, MIT Project Athena

NOTES
       On  success,  kinit  notifies ktkt_warnd(1M) to alert the user when the
       initial credentials (ticket-granting ticket) are about to expire.



SunOS 5.10                        30 Apr 2004                         kinit(1)