kinit is used to authenticate to the Kerberos server as
principal, or if none is given, a system generated default (typically your login name at the default realm), and acquire a ticket granting ticket that can later be used to obtain tickets for other services.
If you have compiled
kinit with Kerberos 4 support and you have a Kerberos 4 server,
kinit will detect this and get you Kerberos 4 tickets.
Supported options:
-c cachename, --cache=cachename
The credentials cache to put the acquired ticket in, if other than default.
-f, --forwardable
Get ticket that can be forwarded to another host.
-t keytabname, --keytab=keytabname
Don't ask for a password, but instead get the key from the specified keytab.
-l time, --lifetime=time
Specifies the lifetime of the ticket. The argument can either be in seconds, or a more human readable string like ‘1h'.
-p, --proxiable
Request tickets with the proxiable flag set.
-R, -.Fl --renew
Try to renew ticket. The ticket must have the ‘renewable' flag set, and must not be expired.
--renewable
The same as --renewable-life, with an infinite time.
-r time, --renewable-life=time
The max renewable ticket life.
-S principal, --server=principal
Get a ticket for a service other than krbtgt/LOCAL.REALM.
-s time, --start-time=time
Obtain a ticket that starts to be valid time (which can really be a generic time specification, like ‘1h') seconds into the future.
-k, --use-keytab
The same as --keytab, but with the default keytab name (normally FILE:/etc/krb5.keytab).
-v, --validate
Try to validate an invalid ticket.
-e, --enctypes=enctypes
Request tickets with this particular enctype.
--password-file=filename
read the password from the first line of filename. If the filename is STDIN, the password will be read from the standard input.
--fcache-version=version-number
Create a credentials cache of version version-number.
-a, --extra-addresses=enctypes
Adds a set of addresses that will, in addition to the systems local addresses, be put in the ticket. This can be useful if all addresses a client can use can't be automatically figured out. One such example is if the client is behind a firewall. Also settable via
libdefaults/extra_addresses in
krb5.conf(5).
-A, --no-addresses
Request a ticket with no addresses.
--anonymous
Request an anonymous ticket (which means that the ticket will be issued to an anonymous principal, typically “anonymous@REALM”).
The following options are only available if
kinit has been compiled with support for Kerberos 4.
-4, --524init
Try to convert the obtained Kerberos 5 krbtgt to a version 4 compatible ticket. It will store this ticket in the default Kerberos 4 ticket file.
-9, --524convert
only convert ticket to version 4
--afslog
Gets AFS tickets, converts them to version 4 format, and stores them in the kernel. Only useful if you have AFS.
The
forwardable,
proxiable,
ticket_life, and
renewable_life options can be set to a default value from the
appdefaults section in krb5.conf, see
krb5_appdefault(3).
If a
command is given,
kinit will set up new credentials caches, and AFS PAG, and then run the given command. When it finishes the credentials will be removed.