.\" $Id: kinit.1,v 1.20 2002/08/28 16:09:36 joda Exp $
.\"
.Dd May 29, 1998
.Dt KINIT 1
.Os HEIMDAL
.Sh NAME
.Nm kinit
.Nm kauth
.Nd acquire initial tickets
.Sh SYNOPSIS
.Nm kinit
.Op Fl 4 | Fl -524init
.Op Fl 9 | Fl -524convert
.Op Fl -afslog
.Oo Fl c Ar cachename \*(Ba Xo
.Fl -cache= Ns Ar cachename
.Xc
.Oc
.Op Fl f | Fl -forwardable
.Oo Fl t Ar keytabname \*(Ba Xo
.Fl -keytab= Ns Ar keytabname
.Xc
.Oc
.Oo Fl l Ar time \*(Ba Xo
.Fl -lifetime= Ns Ar time
.Xc
.Oc
.Op Fl p | Fl -proxiable
.Op Fl R | Fl -renew
.Op Fl -renewable
.Oo Fl r Ar time \*(Ba Xo
.Fl -renewable-life= Ns Ar time
.Xc
.Oc
.Oo Fl S Ar principal \*(Ba Xo
.Fl -server= Ns Ar principal
.Xc
.Oc
.Oo Fl s Ar time \*(Ba Xo
.Fl -start-time= Ns Ar time
.Xc
.Oc
.Op Fl k | Fl -use-keytab
.Op Fl v | Fl -validate
.Oo Fl e Ar enctypes \*(Ba Xo
.Fl -enctypes= Ns Ar enctypes
.Xc
.Oc
.Oo Fl a Ar addresses \*(Ba Xo
.Fl -extra-addresses= Ns Ar addresses
.Xc
.Oc
.Op Fl -fcache-version= Ns Ar integer
.Op Fl -no-addresses
.Op Fl -anonymous
.Op Fl -version
.Op Fl -help
.Op Ar principal Op Ar command
.Sh DESCRIPTION
.Nm
is used to authenticate to the kerberos server as
.Ar principal ,
or if none is given, a system generated default (typically your login
name at the default realm), and acquire a ticket granting ticket that
can later be used to obtain tickets for other services.
.Pp
If you have compiled
.Nm kinit
with Kerberos 4 support and you have a
Kerberos 4 server,
.Nm
will detect this and get you Kerberos 4 tickets.
.Pp
Supported options:
.Bl -tag -width Ds
.It Xo
.Fl c Ar cachename
.Fl -cache= Ns Ar cachename
.Xc
The credentials cache to put the acquired ticket in, if other than
default.
.It Xo
.Fl f ,
.Fl -forwardable
.Xc
Get ticket that can be forwarded to another host.
.It Xo
.Fl t Ar keytabname ,
.Fl -keytab= Ns Ar keytabname
.Xc
Don't ask for a password, but instead get the key from the specified
keytab.
.It Xo
.Fl l Ar time Ns ,
.Fl -lifetime= Ns Ar time
.Xc
Specifies the lifetime of the ticket. The argument can either be in
seconds, or a more human readable string like
.Sq 1h .
.It Xo
.Fl p ,
.Fl -proxiable
.Xc
Request tickets with the proxiable flag set.
.It Xo
.Fl R ,
.Fl -renew
.Xc
Try to renew ticket. The ticket must have the
.Sq renewable
flag set, and must not be expired.
.It Fl -renewable
The same as
.Fl -renewable-life ,
with an infinite time.
.It Xo
.Fl r Ar time ,
.Fl -renewable-life= Ns Ar time
.Xc
The max renewable ticket life.
.It Xo
.Fl S Ar principal ,
.Fl -server= Ns Ar principal
.Xc
Get a ticket for a service other than krbtgt/LOCAL.REALM.
.It Xo
.Fl s Ar time ,
.Fl -start-time= Ns Ar time
.Xc
Obtain a ticket that starts to be valid
.Ar time
(which can really be a generic time specification, like
.Sq 1h )
seconds into the future.
.It Xo
.Fl k ,
.Fl -use-keytab
.Xc
The same as
.Fl -keytab ,
but with the default keytab name (normally
.Ar FILE:/etc/krb5.keytab ) .
.It Xo
.Fl v ,
.Fl -validate
.Xc
Try to validate an invalid ticket.
.It Xo
.Fl e ,
.Fl -enctypes= Ns Ar enctypes
.Xc
Request tickets with this particular enctype.
.It Xo
.Fl -fcache-version= Ns Ar version
.Xc
Create a credentials cache of version
.Nm version .
.It Xo
.Fl a ,
.Fl -extra-addresses= Ns Ar enctypes
.Xc
Adds a set of addresses that will, in addition to the systems local
addresses, be put in the ticket. This can be useful if all addresses a
client can use can't be automatically figured out. One such example is
if the client is behind a firewall. Also settable via
.Li libdefaults/extra_addresses
in
.Xr krb5.conf 5 .
.It Xo
.Fl -no-addresses
.Xc
Request a ticket with no addresses.
.It Xo
.Fl -anonymous
.Xc
Request an anonymous ticket (which means that the ticket will be
issued to an anonymous principal, typically
.Dq anonymous@REALM ) .
.El
.Pp
The following options are only available if
.Nm
has been compiled with support for Kerberos 4.
.Bl -tag -width Ds
.It Xo
.Fl 4 ,
.Fl -524init
.Xc
Try to convert the obtained Kerberos 5 krbtgt to a version 4
compatible ticket. It will store this ticket in the default Kerberos 4
ticket file.
.It Xo
.Fl 9 ,
.Fl -524convert
.Xc
only convert ticket to version 4
.It Fl -afslog
Gets AFS tickets, converts them to version 4 format, and stores them
in the kernel. Only useful if you have AFS.
.El
.Pp
The
.Ar forwardable ,
.Ar proxiable ,
.Ar ticket_life ,
and
.Ar renewable_life
options can be set to a default value from the
.Dv appdefaults
section in krb5.conf, see
.Xr krb5_appdefault 3 .
.Pp
If  a
.Ar command
is given,
.Nm kinit
will setup new credentials caches, and AFS PAG, and then run the given
command. When it finishes the credentials will be removed.
.Sh ENVIRONMENT
.Bl -tag -width Ds
.It Ev KRB5CCNAME
Specifies the default credentials cache.
.It Ev KRB5_CONFIG
The file name of
.Pa krb5.conf
, the default being
.Pa /etc/krb5.conf .
.It Ev KRBTKFILE
Specifies the Kerberos 4 ticket file to store version 4 tickets in.
.El
.\".Sh FILES
.\".Sh EXAMPLES
.\".Sh DIAGNOSTICS
.Sh SEE ALSO
.Xr kdestroy 1 ,
.Xr klist 1 ,
.Xr krb5_appdefault 3 ,
.Xr krb5.conf 5
.\".Sh STANDARDS
.\".Sh HISTORY
.\".Sh AUTHORS
.\".Sh BUGS