kinit(1)kinit(1)NAMEkinit - Obtains and caches initial ticket granting tickets (TGTs) and
service tickets
SYNOPSIS
/krb5/bin/kinit [-c cachename] [-D] [-d starttime] [-e etype] [-k [-t
keytable]] [-f] [-n] [-p] [-l lifetime] [-r renewtime] [-v version]
[principal]
/krb5/bin/kinit -S service [-c cachename] [-d starttime] [-f] [-p] [-l
lifetime] [-r renewtime]
/krb5/bin/kinit -R [-c cachename]
/krb5/bin/kinit -V [-c cachename]
OPTIONS
Specifies the location of the Kerberos credentials cache file other
than the default, which is /krb5/tmp/cc/krb5cc_ uid (where uid repre‐
sents your user identification retrieved from the password file),
unless the CSFC5CCNAME environment variable is set to an alternate
pathname. Creates a postdatable TGT. Creates a postdated ticket and
specifies the amount of time before the ticket can be validated.
The syntax of starttime is [#w][#d][#h][#m][#s], where w =
weeks, d = days, h = hours, m = minutes, and s = seconds. No
spaces are allowed unless the expression is enclosed in quota‐
tion marks, and when spaces are used, numbers must still be
adjacent to their applicable letters. For example, "1w 2d 3h 4m
5s" is acceptable, whereas "1 w 2 h" produces an error.
By default, a starttime is in hours. If the requested time
period is less than the server's clock skew value (typically
five minutes), the ticket's start time is set to the current
time and it is issued as if the -d option had not been speci‐
fied. Specifies the encryption type for the credentials. Valid
uses for etype are the following: For DES-CBC-CRC, enter one of
the following:
DES-CRC or 1 For DES-CBC-MD5, enter one of the following:
DES or DES-MD5 or 3 For DES3-CBC-MD5, enter one of the follow‐
ing:
DES3 or DES3-MD5 or 5
By default, type 5 (DES3-CBC-MD5) encryption is used if the
principal has a DES3 key in the security server principal data‐
base. Otherwise, type 3 (DES-CBC-MD5) encryption is used.
The -e option is mutually exclusive with the -k and -t options.
Creates a forwardable TGT. Uses the service key table file to
obtain the ticket rather than a user-supplied password. Use this
option to check the contents of the default service key table
file called v5srvtab. If you are using a service key table file
other than the default, use the -t option to identify the name
of the service key table file.
You must be logged on as root to use this option, because the
v5srvtab file is accessible only to root. Also, the -k option is
mutually exclusive with the -e option. Requests a ticket with a
specified lifetime. You must specify a lifetime, up to the maxi‐
mum lifetime set for the principal account in the principal
database; otherwise, the ticket lifetime is set to the default
of 8 hours.
The syntax of lifetime is [#w][#d][#h][#m][#s], where w = weeks,
d = days, h = hours, m = minutes, and s = seconds. No spaces are
allowed unless the expression is enclosed in quotation marks,
and when spaces are used, numbers must be adjacent to their
applicable letters. For example, "1w 2d 3h 4m 5s" is acceptable,
whereas "1 w 2 d 3 h 4 m 5 s" will produce an error.
By default, a lifetime is in hours. Skips preauthentication
when obtaining the ticket. By default, kinit uses preauthentica‐
tion. Creates a proxiable ticket. Renews all renewable tickets
in the specified credentials cache. After a ticket is renewed,
its start time is set to the current time and its end time
becomes either the sum of the current time plus the end time, or
the renew time, whichever is less. The end time, authentication
time, and renew time are not changed on the tickets.
Renewing tickets removes all expired tickets from the creden‐
tials cache. You must renew tickets before they expire. You
cannot renew some tickets and not others.
This option is valid only by itself or with the -c option; no
password is required. Creates a renewable ticket with a speci‐
fied renew time. The syntax of renewtime is
[#w][#d][#h][#m][#s], where w = weeks, d = days, h = hours, m =
minutes, and s = seconds. No spaces are allowed unless the
expression is enclosed in quotation marks, and when spaces are
used, numbers must be adjacent to their applicable letters. For
example, "1w 2d 3h 4m 5s" is acceptable, whereas "1 w 2 d 3 h 4
m 5 s" will produce an error.
By default, a renewtime is in hours. Requests a ticket for a
specified service. A valid TGT must exist in the user's creden‐
tials cache file prior to using this option or the command will
fail. You must specify a service principal name, where service
is that name.
For example, the following command obtains a service ticket for
the host/server1.company.com principal in the COMPANY.COM realm:
# kinit-S host/server1.company.com@COMPANY.COM
To obtain a service ticket for the local host principal, enter:
# kinit-S host
Use this command to verify that the host principal for a user's
computer can authenticate as required. Specifies a service key
table file other than the default, which is /krb5/v5srvtab.
You can only use the -t option with the -k option.
The -k and -t options are mutually exclusive with the -e option.
Validates the tickets in the credentials cache. Validation suc‐
ceeds if the current time is later than the ticket's valid
starting time and before the ticket's expiration time. Using
this option removes all expired tickets from the credentials
cache.
This option is valid only by itself or with the -c option; no
password is required.
Validating postdated tickets makes them active; services do not
accept unvalidated postdated tickets. Specifies the Kerberos
credentials cache version. The range of valid values is 1
through 4. The default value is 2. Specifies the name of the
principal for which you want to obtain an initial ticket (TGT).
DESCRIPTION
The kinit command: Obtains and caches an initial ticket (TGT).
Acquires service tickets. Renews tickets that are renewable. Vali‐
dates postdated tickets.
RESTRICTIONS
Due to clock skew (the difference allowed between the clock time of the
client and server), the ticket start and end times might not appear
exactly as specified. The clock skew is five minutes, so a ticket start
time might be five minutes before or after the time you specified.
Tickets with remaining lifetimes that are less than the clock skew
might give unexpected results.
If you request a postdated ticket and the ticket start time is within
the clock skew, the ticket start time is the current time and the
ticket is valid immediately.
EXAMPLES
To obtain a ticket postdated to start 1 hour from now, has a lifetime
of 15 minutes, that is forwardable, and is for the principal mary/admin
in the default domain COMPANY.COM, enter:
# kinit-d 1h -l 15m -f mary/admin@COMPANY.COM To validate the
ticket after the start time has passed and before it expires,
enter:
# kinit-V To obtain a ticket with a lifetime of 45 hours and 30
minutes, enter:
# kinit-l 45h30m
ENVIRONMENT VARIABLES
CSFC5CCNAME
Controls the credentials cache.
FILES
/krb5/tmp/cc/krb5cc_ uid
Default Kerberos credentials cache file.
v5srvtab
Default service key table file.
SEE ALSO
Commands: kdestroy(1), klist(1), ktutil(1)kinit(1)