kinit(1) User Commands kinit(1)NAMEkinit - obtain and cache Kerberos ticket-granting ticket
SYNOPSIS
/usr/bin/kinit [-ARvV] [-p | -P] [-f | -F] [-a] [-c cache_name]
[-k [-t keytab_file]] [-l lifetime]
[-r renewable_life] [-s start_time] [-S service_name]
[principal]
DESCRIPTION
The kinit command is used to obtain and cache an initial ticket-grant‐
ing ticket (credential) for principal. This ticket is used for authen‐
tication by the Kerberos system. Notice that only users with Kerberos
principals can use the Kerberos system. For information about Kerberos
principals, see kerberos(5).
When you use kinit without options, the utility prompts for your prin‐
cipal and Kerberos password, and tries to authenticate your login with
the local Kerberos server. The principal can be specified on the com‐
mand line if desired.
If Kerberos authenticates the login attempt, kinit retrieves your ini‐
tial ticket-granting ticket and puts it in the ticket cache. By default
your ticket will be stored in the file /tmp/krb5cc_uid, where uid spec‐
ifies your user identification number. Tickets expire after a specified
lifetime, after which kinit must be run again. Any existing contents of
the cache are destroyed by kinit.
Values specified in the command line override the values specified in
the Kerberos configuration file for lifetime and renewable_life.
The kdestroy(1) command may be used to destroy any active tickets
before you end your login session.
OPTIONS
The following options are supported:
-a Requests tickets with the local addresses.
-A Requests address-less tickets.
-c cache_name Uses cache_name as the credentials (ticket)
cache name and location. If this option is not
used, the default cache name and location are
used.
-f Requests forwardable tickets.
-F Not forwardable. Does not request forwardable
tickets.
Tickets that have been acquired on one host can‐
not normally be used on another host. A client
can request that the ticket be marked forward‐
able. Once the TKT_FLG_FORWARDABLE flag is set
on a ticket, the user can use this ticket to
request a new ticket, but with a different IP
address. Thus, users can use their current cre‐
dentials to get credentials valid on another
machine. This option allows a user to explicitly
obtain a non-forwardable ticket.
-k [-t keytab_file] Requests a host ticket, obtained from a key in
the local host's keytab file. The name and loca‐
tion of the keytab file may be specified with
the -t keytab_file option. Otherwise, the
default name and location will be used.
-l lifetime Requests a ticket with the lifetime lifetime. If
the -l option is not specified, the default
ticket lifetime (configured by each site) is
used. Specifying a ticket lifetime longer than
the maximum ticket lifetime (configured by each
site) results in a ticket with the maximum life‐
time. See the Time Formats section for the valid
time duration formats that you can specify for
lifetime. See kdc.conf(4) and kadmin(1M) (for
getprinc command to verify the lifetime values
for the server principal).
The lifetime of the tickets returned will be the
minimum of the following:
o Value specified in the command line.
o Value specified in the KDC configura‐
tion file.
o Value specified in the Kerberos data
base for the server principal. In the
case of kinit, it is krbtgt/realm
name.
o Value specified in the Kerberos data‐
base for the user principal.
-p Requests proxiable tickets.
-P Not proxiable. Does not request proxiable tick‐
ets.
A proxiable ticket is a ticket that allows you
to get a ticket for a service with IP addresses
other than the ones in the Ticket Granting
Ticket. This option allows a user to explicitly
obtain a non-proxiable ticket.
-r renewable_life Requests renewable tickets, with a total life‐
time of renewable_life. See the Time Formats
section for the valid time duration formats that
you can specify for renewable_life. See
kdc.conf(4) and kadmin(1M) (for getprinc command
to verify the lifetime values for the server
principal).
The renewable lifetime of the tickets returned
will be the minimum of the following:
o Value specified in the command line.
o Value specified in the KDC configura‐
tion file.
o Value specified in the Kerberos data
base for the server principal. In the
case of kinit, it is krbtgt/realm
name.
o Value specified in the Kerberos data‐
base for the user principal.
-R Requests renewal of the ticket-granting ticket.
Notice that an expired ticket cannot be renewed,
even if the ticket is still within its renewable
life.
-s start_time Requests a postdated ticket, valid starting at
start_time. Postdated tickets are issued with
the invalid flag set, and need to be fed back to
the KDC before use. See the Time Formats section
for either the valid absolute time or time dura‐
tion formats that you can specify for
start_time. kinit attempts to match an absolute
time first before trying to match a time dura‐
tion.
-S service_name Specifies an alternate service name to use when
getting initial tickets.
-v Requests that the ticket granting ticket in the
cache (with the invalid flag set) be passed to
the KDC for validation. If the ticket is within
its requested time range, the cache is replaced
with the validated ticket.
-V Verbose output. Displays further information to
the user, such as confirmation of authentication
and version.
Time Formats
The following absolute time formats can be used for the -s start_time
option. The examples are based on the date and time of July 2, 1999,
1:35:30 p.m.
┌───────────────────────────────────────────────────────────┐
│ Absolute Time Format Example │
│yymmddhhmm[ss] 990702133530 │
│hhmm[ss] 133530 │
│yy.mm.dd.hh.mm.ss 99:07:02:13:35:30 │
│hh:mm[:ss] 13:35:30 │
│ldate:ltime 07-07-99:13:35:30 │
│dd-month-yyyy:hh:mm[:ss] 02-july-1999:13:35:30 │
└───────────────────────────────────────────────────────────┘
Variable Description
dd day
hh hour (24-hour clock)
mm minutes
ss seconds
yy year within century (0-68 is 2000 to
2068; 69-99 is 1969 to 1999)
yyyy year including century
month locale's full or abbreviated month name
ldate locale's appropriate date representation
ltime locale's appropriate time representation
The following time duration formats can be used for the -l lifetime, -r
renewable_life, and -s start_time options. The examples are based on
the time duration of 14 days, 7 hours, 5 minutes, and 30 seconds.
┌───────────────────────────────────────────────────────────┐
│ Time Duration Format Example │
│#d 14d │
│#h 7h │
│#m 5m │
│#s 30s │
│#d#h#m#s 14d7h5m30s │
│#h#m[#s] 7h5m30s │
│days-hh:mm:ss 14-07:05:30 │
│hours:mm[:ss] 7:05:30 │
└───────────────────────────────────────────────────────────┘
Delimiter Description
d number of days
h number of hours
m number of minutes
s number of seconds
Variable Description
# number
days number of days
hours number of hours
hh hour (24-hour clock)
mm minutes
ss seconds
ENVIRONMENT VARIABLESkinit uses the following environment variable:
KRB5CCNAME Location of the credentials (ticket) cache. See
krb5envvar(5) for syntax and details.
FILES
/tmp/krb5cc_uid Default credentials cache (uid is the decimal
UID of the user).
/etc/krb5/krb5.keytab Default location for the local host's keytab
file.
/etc/krb5/krb5.conf Default location for the local host's configu‐
ration file. See krb5.conf(4).
ATTRIBUTES
See attributes(5) for descriptions of the following attributes:
┌─────────────────────────────┬─────────────────────────────┐
│ ATTRIBUTE TYPE │ ATTRIBUTE VALUE │
├─────────────────────────────┼─────────────────────────────┤
│Availability │SUNWkrbu │
├─────────────────────────────┼─────────────────────────────┤
│Interface Stability │See below. │
└─────────────────────────────┴─────────────────────────────┘
The command arguments are Evolving. The command output is Unstable.
SEE ALSOkdestroy(1), klist(1), kadmin(1M), ktkt_warnd(1M), kdc.conf(4),
krb5.conf(4), attributes(5), kerberos(5), krb5envvar(5), pam_krb5(5)NOTES
On success, kinit notifies ktkt_warnd(1M) to alert the user when the
initial credentials (ticket-granting ticket) are about to expire.
SunOS 5.10 16 Nov 2006 kinit(1)