Obtaining or renewing ticket-granting tickets

kinit command

If no ticket options are specified on the kinit command, the options for the Kerberos server that are specified in the Kerberos configuration file are used.

If an existing ticket is not renewed, the credentials cache is re-initialized and contains the new ticket-granting ticket received from the Kerberos server. If the principal name is not specified on the command line, the principal name is obtained from the credentials cache. The new credentials cache becomes the default credentials cache unless the cache name is specified by the -c option.

Ticket time values are expressed as nwndnhnmns, where n represents a number, w indicates weeks, d indicates days, h indicates hours, m indicates minutes, and s indicates seconds. The components must be specified in this order, but any component can be omitted (for example, 4h5m represents 4 hours and 5 minutes, and 1w2h represents 1 week and 2 hours). If only a number is specified, the default is hours.

To obtain a ticket-granting ticket that has a lifetime of 5 hours for principal jday, choose one of the following options:

• On the Qshell command line, enter kinit -l 5h Jday
• On an IBM® i control language (CL) command line, enter call qsys/qkrbkinit parm('-l' '5h' 'jday')

See the kinit usage notes on this Qshell command for specifics on its usage and restrictions.

Add Kerberos Ticket (ADDKRBTKT) command

On an i5/OS command line, you can use the CL command ADDKRBTKT to obtain ticket-granting tickets. For instance, to add a forwardable ticket using the principal krbsrv400/jday.myco.com and the default realm, enter the following command:

ADDKRBTKT PRINCIPAL('krbsrv400/jday.myco.com') PASSWORD('mypwd') ALWFWD(*YES)