*nix Documentation Project
·  Home
 +   man pages
·  Linux HOWTOs
·  FreeBSD Tips
·  *niX Forums

  man pages->Tru64 Unix man pages -> kinit (1)              
Title
Content
Arch
Section
 

kinit(1)

Contents


NAME    [Toc]    [Back]

       kinit - Obtains and caches initial ticket granting tickets
       (TGTs) and service tickets

SYNOPSIS    [Toc]    [Back]

       /krb5/bin/kinit [-c cachename]  [-D]  [-d  starttime]  [-e
       etype]  [-k  [-t   keytable]] [-f] [-n] [-p] [-l lifetime]
       [-r renewtime] [-v version] [principal]

       /krb5/bin/kinit -S service  [-c cachename] [-d  starttime]
       [-f] [-p] [-l lifetime] [-r renewtime]

       /krb5/bin/kinit -R  [-c cachename]

       /krb5/bin/kinit -V  [-c cachename]

OPTIONS    [Toc]    [Back]

       Specifies  the  location of the Kerberos credentials cache
       file other than the default, which is /krb5/tmp/cc/krb5cc_
       uid   (where   uid  represents  your  user  identification
       retrieved from the password file), unless the  CSFC5CCNAME
       environment  variable  is  set  to  an alternate pathname.
       Creates a postdatable TGT.  Creates a postdated ticket and
       specifies the amount of time before the ticket can be validated.


              The syntax of  starttime  is  [#w][#d][#h][#m][#s],
              where  w = weeks, d = days, h = hours, m = minutes,
              and s = seconds.  No spaces are allowed unless  the
              expression is enclosed in quotation marks, and when
              spaces are used, numbers must still be adjacent  to
              their applicable letters. For example, "1w 2d 3h 4m
              5s" is acceptable, whereas "1 w 2  h"  produces  an
              error.

              By  default,  a  starttime  is  in  hours.   If the
              requested time period is  less  than  the  server's
              clock  skew  value  (typically  five  minutes), the
              ticket's start time is set to the current time  and
              it is issued as if the -d option had not been specified.
  Specifies the encryption type for the  credentials.
  Valid  uses for etype are the following:
              For DES-CBC-CRC, enter one of the following:

              DES-CRC or 1 For DES-CBC-MD5, enter one of the following:


              DES  or DES-MD5 or 3 For DES3-CBC-MD5, enter one of
              the following:

              DES3 or DES3-MD5 or 5

              By default, type  5  (DES3-CBC-MD5)  encryption  is
              used  if  the principal has a DES3 key in the security
 server principal database. Otherwise,  type  3
              (DES-CBC-MD5) encryption is used.

              The -e option is mutually exclusive with the -k and
              -t options.  Creates a forwardable TGT.   Uses  the
              service  key table file to obtain the ticket rather
              than a user-supplied password. Use this  option  to
              check the contents of the default service key table
              file called v5srvtab.  If you are using  a  service
              key  table  file other than the default, use the -t
              option to identify the  name  of  the  service  key
              table file.

              You  must  be logged on as root to use this option,
              because the v5srvtab file  is  accessible  only  to
              root.  Also,  the  -k  option is mutually exclusive
              with the -e option.  Requests a ticket with a specified
  lifetime. You must specify a lifetime, up to
              the maximum lifetime set for the principal  account
              in  the  principal  database; otherwise, the ticket
              lifetime is set to the default of 8 hours.

              The syntax  of  lifetime  is  [#w][#d][#h][#m][#s],
              where  w = weeks, d = days, h = hours, m = minutes,
              and s = seconds. No spaces are allowed  unless  the
              expression is enclosed in quotation marks, and when
              spaces are used, numbers must be adjacent to  their
              applicable  letters.  For example, "1w 2d 3h 4m 5s"
              is acceptable, whereas "1 w 2 d 3 h 4 m 5  s"  will
              produce an error.

              By  default,  a lifetime is in hours.  Skips preauthentication
 when obtaining the ticket. By default,
              kinit  uses preauthentication.  Creates a proxiable
              ticket.  Renews all renewable tickets in the specified
  credentials cache. After a ticket is renewed,
              its start time is set to the current time  and  its
              end time becomes either the sum of the current time
              plus the end time, or the renew time, whichever  is
              less.  The end time, authentication time, and renew
              time are not changed on the tickets.

              Renewing tickets removes all expired  tickets  from
              the  credentials  cache.   You  must  renew tickets
              before they expire.  You cannot renew some  tickets
              and not others.

              This  option is valid only by itself or with the -c
              option; no password is required.  Creates a  renewable
 ticket with a specified renew time. The syntax
              of renewtime is  [#w][#d][#h][#m][#s],  where  w  =
              weeks,  d  =  days, h = hours, m = minutes, and s =
              seconds. No spaces are allowed unless  the  expression
  is  enclosed  in  quotation  marks,  and when
              spaces are used, numbers must be adjacent to  their
              applicable  letters.  For example, "1w 2d 3h 4m 5s"
              is acceptable, whereas "1 w 2 d 3 h 4 m 5  s"  will
              produce an error.

              By  default,  a  renewtime is in hours.  Requests a
              ticket for a specified service. A  valid  TGT  must
              exist in the user's credentials cache file prior to
              using this option or the  command  will  fail.  You
              must  specify  a service principal name, where service
 is that name.

              For example, the following command obtains  a  service
  ticket for the host/server1.company.com principal
 in the COMPANY.COM realm:

              # kinit -S host/server1.company.com@COMPANY.COM

              To obtain a  service  ticket  for  the  local  host
              principal, enter:

              # kinit -S host

              Use  this command to verify that the host principal
              for a user's computer can authenticate as required.
              Specifies  a  service key table file other than the
              default, which is /krb5/v5srvtab.

              You can only use the -t option with the -k  option.

              The  -k  and -t options are mutually exclusive with
              the -e option.  Validates the tickets in  the  credentials
  cache. Validation succeeds if the current
              time is later than the ticket's valid starting time
              and before the ticket's expiration time. Using this
              option removes all expired tickets from the credentials
 cache.

              This  option is valid only by itself or with the -c
              option; no password is required.

              Validating postdated  tickets  makes  them  active;
              services  do not accept unvalidated postdated tickets.
  Specifies the Kerberos credentials cache version.
 The range of valid values is 1 through 4. The
              default value is 2.   Specifies  the  name  of  the
              principal  for  which you want to obtain an initial
              ticket (TGT).

DESCRIPTION    [Toc]    [Back]

       The kinit command: Obtains and caches  an  initial  ticket
       (TGT).  Acquires service tickets.  Renews tickets that are
       renewable.  Validates postdated tickets.

RESTRICTIONS    [Toc]    [Back]

       Due to clock skew  (the  difference  allowed  between  the
       clock time of the client and server), the ticket start and
       end times might not appear exactly as specified. The clock
       skew is five minutes, so a ticket start time might be five
       minutes before or after the time you specified.

       Tickets with remaining lifetimes that are  less  than  the
       clock skew might give unexpected results.

       If  you  request  a  postdated ticket and the ticket start
       time is within the clock skew, the ticket  start  time  is
       the current time and the ticket is valid immediately.

EXAMPLES    [Toc]    [Back]

       To obtain a ticket postdated to start 1 hour from now, has
       a lifetime of 15 minutes, that is forwardable, and is  for
       the  principal  mary/admin  in  the  default  domain  COMPANY.COM,
 enter:

              # kinit -d 1h -l 15m -f  mary/admin@COMPANY.COM  To
              validate the ticket after the start time has passed
              and before it expires, enter:

              # kinit -V To obtain a ticket with a lifetime of 45
              hours and 30 minutes, enter:

              # kinit -l 45h30m



ENVIRONMENT VARIABLES    [Toc]    [Back]

       CSFC5CCNAME

       Controls the credentials cache.

FILES    [Toc]    [Back]

       /krb5/tmp/cc/krb5cc_ uid

       Default Kerberos credentials cache file.

       v5srvtab

       Default service key table file.

SEE ALSO    [Toc]    [Back]

      
      
       Commands: kdestroy(1), klist(1), ktutil(1)



                                                         kinit(1)
[ Back ]
 Similar pages
Name OS Title
kinit HP-UX Obtains and caches ticket-granting ticket
kinit OpenBSD acquire initial tickets
kauth OpenBSD acquire initial tickets
kinit FreeBSD acquire initial tickets
kinit HP-UX obtain and cache the Kerberos ticket-granting ticket
klist HP-UX Lists cached tickets
kdestroy HP-UX destroy Kerberos tickets
klist HP-UX list cached Kerberos tickets
klist Tru64 Lists the tickets stored in the credentials cache file
kdestroy Tru64 Destroys valid or nonvalid Kerberos tickets and removes the cache file
Copyright © 2004-2005 DeniX Solutions SRL
newsletter delivery service