SYNOPSIS

       kinit  [-V] [-l lifetime] [-s start_time] [-r renewable_life] [-p | -P]
              [-f | -F] [-a] [-A] [-C] [-E] [-v] [-R] [-k [-t keytab_file]]
              [-c cache_name] [-n] [-S service_name][-T armor_ccache] [-X
              attribute[=value]] [principal]

DESCRIPTION

       kinit obtains and caches an initial ticket-granting ticket for  princiтАР
       pal.

OPTIONS

       -V     display verbose output.

       -l lifetime
              requests  a  ticket  with  the lifetime lifetime.  The value for
              lifetime must be followed immediately by one  of  the  following
              delimiters:

                 s  seconds
                 m  minutes
                 h  hours
                 d  days

              as  in "kinit -l 90m".  You cannot mix units; a value of `3h30m'
              will result in an error.

              If the -l option is not specified, the default  ticket  lifetime
              (configured by each site) is used.  Specifying a ticket lifetime
              longer than the maximum  ticket  lifetime  (configured  by  each
              site) results in a ticket with the maximum lifetime.

       -s start_time
              requests  a  postdated  ticket,  valid  starting  at start_time.
              Postdated tickets are issued with the invalid flag set, and need
              to be fed back to the kdc before use.

       -r renewable_life
              requests  renewable  tickets,  with  a  total lifetime of renewтАР
              able_life.  The duration is in the same format as the -l option,
              with the same delimiters.

       -f     request forwardable tickets.

       -F     do not request forwardable tickets.

       -p     request proxiable tickets.

       -P     do not request proxiable tickets.

       -a     request tickets with the local address[es].

       -A     request address-less tickets.
       -k [-t keytab_file]
              requests a ticket, obtained from  a  key  in  the  local  host's
              keytab  file.   The  name and location of the keytab file may be
              specified with the -t keytab_file option; otherwise the  default
              name  and  location  will  be used.  By default a host ticket is
              requested but any principal may be specified. On a KDC, the speтАР
              cial  keytab  location  KDB:  can be used to indicate that kinit
              should open the KDC database and look up the key directly.  This
              permits an administrator to obtain tickets as any principal that
              supports password-based authentication.

       -n     Requests anonymous processing.  Two types of  anonymous  princiтАР
              pals  are  supported.   For  fully anonymous Kerberos, configure
              pkinit on the KDC and configure pkinit_anchors in  the  client's
              krb5.conf.   Then use the -n option with a principal of the form
              @REALM (an empty principal name followed by the  at-sign  and  a
              realm  name).  If permitted by the KDC, an anonymous ticket will
              be returned.  A second form of anonymous tickets  is  supported;
              these  realm-exposed tickets hide the identity of the client but
              not the client's realm.  For this mode, use kinit -n with a norтАР
              mal principal name.  If supported by the KDC, the principal (but
              not realm) will be replaced by the anonymous principal.   As  of
              release  1.8, the MIT Kerberos KDC only supports fully anonymous
              operation.

       -T armor_ccache
              Specifies the name of a credential cache that already contains a
              ticket.   If  supported  by the KDC, This ccache will be used to
              armor the request so that an attacker would have  to  know  both
              the  key  of  the armor ticket and the key of the principal used
              for authentication in order to attack the request. Armoring also
              makes  sure  that  the  response from the KDC is not modified in
              transit.

       -c cache_name
              use cache_name as the Kerberos 5 credentials (ticket) cache name
              and location; if this option is not used, the default cache name
              and location are used.

              The default credentials cache may vary between systems.  If  the
              KRB5CCNAME  environment  variable  is  set, its value is used to
              name the default ticket cache.  Any  existing  contents  of  the
              cache are destroyed by kinit.

       -S service_name
              specify  an  alternate  service name to use when getting initial
              tickets.

       -X attribute[=value]
              specify a pre-authentication attribute and value to be passed to
              pre-authentication  plugins.  The acceptable attribute and value
              values vary from  pre-authentication  plugin  to  plugin.   This

ENVIRONMENT

       Kinit uses the following environment variables:

       KRB5CCNAME      Location of the Kerberos 5 credentials (ticket) cache.

FILES

       /tmp/krb5cc_[uid]  default  location  of  Kerberos  5 credentials cache
                          ([uid] is the decimal UID of the user).

       /etc/krb5.keytab   default location for the local host's keytab file.

SYNOPSIS

DESCRIPTION

OPTIONS

ENVIRONMENT

FILES

SEE ALSO