
KINIT(1)                  BSD General Commands Manual                 KINIT(1)

NNAAMMEE
     kkiinniitt -- acquire initial tickets

SSYYNNOOPPSSIISS
     kkiinniitt [----aaffsslloogg] [--cc _c_a_c_h_e_n_a_m_e | ----ccaacchhee==_c_a_c_h_e_n_a_m_e] [--ff | ----ffoorrwwaarrddaabbllee]
           [--FF | ----nnoo--ffoorrwwaarrddaabbllee] [--tt _k_e_y_t_a_b_n_a_m_e | ----kkeeyyttaabb==_k_e_y_t_a_b_n_a_m_e] [--ll
           _t_i_m_e | ----lliiffeettiimmee==_t_i_m_e] [--pp | ----pprrooxxiiaabbllee] [--RR | ----rreenneeww]
           [----rreenneewwaabbllee] [--rr _t_i_m_e | ----rreenneewwaabbllee--lliiffee==_t_i_m_e] [--SS _p_r_i_n_c_i_p_a_l |
           ----sseerrvveerr==_p_r_i_n_c_i_p_a_l] [--ss _t_i_m_e | ----ssttaarrtt--ttiimmee==_t_i_m_e]
           [--kk | ----uussee--kkeeyyttaabb] [--vv | ----vvaalliiddaattee] [--ee _e_n_c_t_y_p_e_s |
           ----eennccttyyppeess==_e_n_c_t_y_p_e_s] [--aa _a_d_d_r_e_s_s_e_s | ----eexxttrraa--aaddddrreesssseess==_a_d_d_r_e_s_s_e_s]
           [----ppaasssswwoorrdd--ffiillee==_f_i_l_e_n_a_m_e] [----ffccaacchhee--vveerrssiioonn==_v_e_r_s_i_o_n_-_n_u_m_b_e_r]
           [--AA | ----nnoo--aaddddrreesssseess] [----aannoonnyymmoouuss] [----eenntteerrpprriissee] [----vveerrssiioonn]
           [----hheellpp] [_p_r_i_n_c_i_p_a_l [_c_o_m_m_a_n_d]]

DDEESSCCRRIIPPTTIIOONN
     kkiinniitt is used to authenticate to the Kerberos server as _p_r_i_n_c_i_p_a_l, or if
     none is given, a system generated default (typically your login name at
     the default realm), and acquire a ticket granting ticket that can later
     be used to obtain tickets for other services.

     Supported options:

     --cc _c_a_c_h_e_n_a_m_e ----ccaacchhee==_c_a_c_h_e_n_a_m_e
             The credentials cache to put the acquired ticket in, if other
             than default.

     --ff ----ffoorrwwaarrddaabbllee
             Obtain a ticket than can be forwarded to another host.

     --FF ----nnoo--ffoorrwwaarrddaabbllee
             Do not obtain a forwardable ticket.

     --tt _k_e_y_t_a_b_n_a_m_e, ----kkeeyyttaabb==_k_e_y_t_a_b_n_a_m_e
             Don't ask for a password, but instead get the key from the speci-
             fied keytab.

     --ll _t_i_m_e, ----lliiffeettiimmee==_t_i_m_e
             Specifies the lifetime of the ticket.  The argument can either be
             in seconds, or a more human readable string like `1h'.

     --pp, ----pprrooxxiiaabbllee
             Request tickets with the proxiable flag set.

     --RR, ----rreenneeww
             Try to renew ticket.  The ticket must have the `renewable' flag
             set, and must not be expired.

     ----rreenneewwaabbllee
             The same as ----rreenneewwaabbllee--lliiffee, with an infinite time.

     --rr _t_i_m_e, ----rreenneewwaabbllee--lliiffee==_t_i_m_e
             The max renewable ticket life.

     --SS _p_r_i_n_c_i_p_a_l, ----sseerrvveerr==_p_r_i_n_c_i_p_a_l
             Get a ticket for a service other than krbtgt/LOCAL.REALM.

     --ss _t_i_m_e, ----ssttaarrtt--ttiimmee==_t_i_m_e
             Obtain a ticket that starts to be valid _t_i_m_e (which can really be
             a generic time specification, like `1h') seconds into the future.

     --kk, ----uussee--kkeeyyttaabb
             The same as ----kkeeyyttaabb, but with the default keytab name (normally
             _F_I_L_E_:_/_e_t_c_/_k_r_b_5_._k_e_y_t_a_b).

     --vv, ----vvaalliiddaattee
             Try to validate an invalid ticket.

     --ee, ----eennccttyyppeess==_e_n_c_t_y_p_e_s
             Request tickets with this particular enctype.

     ----ppaasssswwoorrdd--ffiillee==_f_i_l_e_n_a_m_e
             read the password from the first line of _f_i_l_e_n_a_m_e.  If the
             _f_i_l_e_n_a_m_e is _S_T_D_I_N, the password will be read from the standard
             input.

     ----ffccaacchhee--vveerrssiioonn==_v_e_r_s_i_o_n_-_n_u_m_b_e_r
             Create a credentials cache of version _v_e_r_s_i_o_n_-_n_u_m_b_e_r.

     --aa, ----eexxttrraa--aaddddrreesssseess==_e_n_c_t_y_p_e_s
             Adds a set of addresses that will, in addition to the systems
             local addresses, be put in the ticket.  This can be useful if all
             addresses a client can use can't be automatically figured out.
             One such example is if the client is behind a firewall.  Also
             settable via libdefaults/extra_addresses in krb5.conf(5).

     --AA, ----nnoo--aaddddrreesssseess
             Request a ticket with no addresses.

     ----aannoonnyymmoouuss
             Request an anonymous ticket (which means that the ticket will be
             issued to an anonymous principal, typically ``anonymous@REALM'').

     ----eenntteerrpprriissee
             Parse principal as a enterprise (KRB5-NT-ENTERPRISE) name. Enter-
             prise names are email like principals that are stored in the name
             part of the principal, and since there are two @ characters the
             parser needs to know that the first is not a realm.  An example
             of an enterprise name is ``lha@e.kth.se@KTH.SE'', and this option
             is usually used with canonicalize so that the principal returned
             from the KDC will typically be the real principal name.

     ----aaffsslloogg
             Gets AFS tickets, converts them to version 4 format, and stores
             them in the kernel.  Only useful if you have AFS.

     The _f_o_r_w_a_r_d_a_b_l_e, _p_r_o_x_i_a_b_l_e, _t_i_c_k_e_t___l_i_f_e, and _r_e_n_e_w_a_b_l_e___l_i_f_e options can
     be set to a default value from the appdefaults section in krb5.conf, see
     krb5_appdefault(3).

     If  a _c_o_m_m_a_n_d is given, kkiinniitt will set up new credentials caches, and AFS
     PAG, and then run the given command.  When it finishes the credentials
     will be removed.

EENNVVIIRROONNMMEENNTT
     KRB5CCNAME
             Specifies the default credentials cache.

     KRB5_CONFIG
             The file name of _k_r_b_5_._c_o_n_f, the default being _/_e_t_c_/_k_r_b_5_._c_o_n_f.

SSEEEE AALLSSOO
     kdestroy(1), klist(1), krb5_appdefault(3), krb5.conf(5)

HEIMDAL                         April 25, 2006                         HEIMDAL