kinit is used to obtain and cache Kerberos ticket-granting tickets. This tool is similar in functionality to the kinit tool that are commonly found in other Kerberos implementations, such as SEAM and MIT Reference implementations.
The user must be registered as a principal with the Key Distribution Center (KDC) prior to running kinit.
kinit [ commands ] <principal name> [<password>]
By default, on the Windows platform a cache file named
<USER_HOME>\krb5cc_<USER_NAME> will be
generated. <uid> is the user identification
number of the user logged into the system.
<USER_HOME> is obtained from the
java.lang.System property user.home.
<USER_NAME> is obtained from
java.lang.System property user.name. If
<USER_HOME> is null, the cache file would be
stored in the current directory that the program is running from.
<USER_NAME> is the operating system's login
username. This username could be different than the user's
principal name. For example on Windows NT, it could be
c:\winnt\profiles\duke\krb5cc_duke, in which
duke is the <USER_NAME> and
c:\winnt\profiles\duke is the
<USER_HOME>.
By default, the keytab name is retrieved from the Kerberos
configuration file. If the keytab name is not specifed in the
Kerberos configuration file, the name is assumed to be
<USER_HOME>\krb5.keytab
If you do not specify the password using the
password option on the command line, kinit will prompt
you for the password.
password is provided only for testing
purposes. Do not place your password in a script or provide your
password on the command line. Doing so will compromise your
password.For more information see the man pages for kinit.
Usage: kinit [-fp] [-c
<cache_name>] [-k] [-t
<keytab_filename>]
[<principal>]
[<password>] [-help]
| Command Option | Description |
|---|---|
-A |
Do not include addresses. |
-f |
Issue a forwardable ticket. |
-p |
Issue a proxiable ticket. |
-c
<cache_name> |
The cache name (i.e.,
FILE:d:\temp\mykrb5cc). |
-k |
Use keytab |
-t
<keytab_filename> |
The keytab name (i.e,
d:\winnt\profiles\duke\krb5.keytab). |
<principal> |
The principal name (i.e.,
duke@java.sun.com). |
<password> |
The principal's Kerberos password. (DO NOT SPECIFY ON COMMAND LINE OR IN A SCRIPT.) |
-help |
Displays instructions. |
Requesting credentials valid for authentication from the current
client host, for the default services, storing the credentials
cache in the default location
(c:\winnt\profiles\duke\krb5cc_duke):
kinit duke@JAVA.SUN.COM
Requesting proxiable credentials for a different principal and storing these credentials in a specified file cache:
kinit -p -c FILE:c:\winnt\profiles\duke\credentials\krb5cc_cafebeef cafebeef@JAVA.SUN.COM
Requesting proxiable and forwardable credentials for a different principal and storing these credentials in a specified file cache:
kinit -f -p -c FILE:c:\winnt\profiles\duke\credentials\krb5cc_cafebeef cafebeef@JAVA.SUN.COM
Displaying the help menu for kinit:
kinit -help
The password flag is for testing purposes only. Do
not specify your password on the command line. Doing so is a
security hole since an attacker could discover your password while
enumerating all running processes in the system, for example.
