kinit Command

Note: The Kerberos ticket life time is calculated taking the DST changes into consideration, as per design. Hence Kerberos tickets issued during DST disabled time, if has validity that spans to reach the DST enabled time or vice versa can have a difference of 1 hour displayed in klist.

Purpose

Obtains or renews the Kerberos ticket-granting ticket.

Syntax

kinit [ -l lifetime ] [ -r renewable_life ] [ -f ] [ -p ] [ -A ] [ -s start_time ] [ -S target_service ] [ -k [ -t keytab_file ] ] [ -R ] [ -v ] [ -u ] [ -c cachename ] [ principal ]

Description

The kinit command obtains or renews a Kerberos ticket-granting ticket. The Key Distribution Center (KDC) options specified by the [kdcdefault] and [realms] in the Kerberos configuration file (kdc.conf) are used if you do not specify a ticket flag on the command line.

If you are not renewing an existing ticket, the command reinitializes the credentials cache and will contain the new ticket-granting ticket received from the KDC. If you do not specify the Principal name on the command line and you do specify the -s flag, the Principal name is obtained from the credentials cache. The new credentials cache becomes the default cache unless you specify the cache name using the -c flag.

The ticket Time value for the -l, -r and -s flags is expressed as ndnhnmns where:

n
represents a number
d
represents days
h
represents hours
m
represents minutes
s
represents seconds

You must specify the components in this order but you can omit any component, for example 4h5m represents four hours and 5 minutes and 1d2s represents 1 day and 2 seconds.

Flags

Flags Description
Item Description
-A Specifies that the ticket contain a list of client addresses. The ticket will contain the local host address list if this option is not specified. When an initial ticket contains an address list, it can be used only from one of the addresses in the the address list.
-c cachename Specifies the name of the credentials cache to use. The default credentials cache is used if this flag is not specified. If the KRB5CCNAME environment variable is set, its value is used to name the default ticket cache. Any existing contents of the cache i are destroyed by kinit.
-f Specifies that the ticket is to be forwardable. To forward the ticket, this flag must be specified.
-k Specifies to obtain the key for the ticket principal from a key table. If you do not specify this flag, you are prompted to enter the password for the ticket principal.
-l lifetime Specifies the ticket end time interval. The ticket cannot be used after the interval expires unless the ticket is renewed. The interval default time is 10 hours.
-p Specifies that the ticket is to be proxiable. To make the ticket proxiable, this flag must be specified.
principal Specifies the ticket principal. The principal is obtained from the credentials cache if the principal is not specified on the command line.
-r renewable_life Specifies the renew time interval for a renewable ticket. The ticket cannot be renewed after the interval expires. The renew time must be greater than the end time. If this flag is not specified, the ticket is not renewable, although you can still generate a renewable ticket if the requested ticket lifetime exceeds the maximum ticket lifetime.
-R Specifies to renew an existing ticket. No other flags may be specified when renewing an existing ticket.
-s start_time Specifies a request for a postdated ticket, valid starting at start_time.
-S target_service Specifies an alternate service name to use when getting initial tickets.
-t keytab_file Specifies the key table name. The default key table is used if this flag is not specified and the -k flag is specified. The -t flag implies the -k flag.
-v Specifies that the ticket granting ticket in the cache be passed to the kdc for validation. If the ticket is within its requested time range, the cache is replaced with the validated ticket.
-u Specifies that the kinit command creates a credentials cache file that is unique to the process. If the kinit command is successful, the credentials cache file name includes a unique number (Process Authentication Group or PAG). In AIX® Version 5.3 and later, the PAG is generated from an operating system service. The KRB5CCNAME environment variable is set to this credentials cache file, and the kinit command executes a new shell.

Examples

  1. To obtain a ticket-granting ticket with a lifetime of 10 hours, which is renewable for five days, type:
    kinit -l 10h -r 5d my_principal
  2. To renew an existing ticket, type:
    kinit -R

Files

Files
Item Description
/usr/krb5/bin/kinit -
/var/krb5/security/creds/krb5cc_[uid] default credentials cache ([uid] is the UID of the user.)
/etc/krb5/krb5.keytab default location for the local host's keytab file.
/var/krb5/krb5kdc/kdc.conf Kerberos KDC configuration file.