kinit

Use the Qshell command kinit to obtain or renew the Kerberos ticket granting ticket .

Syntax

kinit [-r time] [-R] [-p] [-f] [-A] [-l time] [-c cache] [-k] [-t keytab] [principal]
Default public authority: *USE

The Qshell command kinit obtains or renews the Kerberos ticket granting ticket .

Options

-r time: The time interval for renewing a ticket. The ticket can no longer be renewed after the expiration of this interval. The renew time must be greater than the end time. If this option is not specified, the ticket is not renewable (a renewable ticket may still be generated if the requested ticket lifetime exceeds the maximum ticket lifetime).
-R: An existing ticket is to be renewed. When you renew an existing ticket, you cannot specify any other ticket options.
-p: The ticket can be a proxy. If you do not specify this option, the ticket cannot be a proxy.
-f: The ticket can be forwarded. If you do not specify this option, the ticket cannot be forwarded.
-A: The ticket will not contain a list of client addresses. If you do not specify this option, the ticket will contain the local host address list. When an initial ticket contains an address list, it can be used only from one of the addresses in the address list.
-l time: The ticket end-time interval. After this interval expires, the ticket cannot be used unless it has been renewed. If you do not specify this option, the interval is set to 10 hours.
-c cache: The name of the credentials cache that the kinit command will use. If you do not specify this option, the command uses the default credentials cache.
-k: The key for the ticket principal is to be obtained from a key table. If you do not specify this option, the system prompts you to enter the password for the ticket principal.
-t keytab: The key table name. If you do not specify this option but do specify the -k option, the system uses the default key table. The -t option implies the -k option.
principal: The ticket principal. If you do not specify the principal on the command line, the system obtains the principal from the credentials cache.

Authorities

Object Referred to	Authority Required
Each directory in the path name preceding the key table file if `-t` option is specified	*X
Key table file when `-t` is specified	*R
Each directory in the path name preceding the credentials cache file to be used	*X
Parent directory of the cache file to be used, if specified by the KRB5CCNAME environment variable, and the file is being created	*WX
Credentials cache file	*RW
Each directory in the paths to the configuration files	*X
Configuration files	*R

To enable the Kerberos run time to find your credentials cache file from any executing process, the name of the cache file is normally stored in the home directory in a file named krb5ccname. The storage location of the cache file name can be overridden by setting the environment variable _EUV_SEC_KRB5CCNAME_FILE. To access this file, the user profile must have *X authority to each directory in the path, and *R authority to the file where the cache file name is stored. The first time that a user creates a credentials cache, the user profile must have *WX authority to the parent directory.

Messages

The option_name option requires a value.
command_option is not a valid command option.
No options allowed when renewing or validating ticket.
Unable to obtain name of default credentials cache.
Unable to resolve credentials cache file_name.
No initial ticket available.
Principal name must be specified.
Unable to retrieve ticket from credentials cache file_name.
Initial ticket is not renewable.
option_value option is not valid for request_name request.
Unable to obtain initial credentials.
Unable to parse principal name.
Unable to resolve key table file_name.
Password is not correct for principal_name.
Unable to read password.
Unable to store initial credentials in credentials cache file_name.
Time delta value is not valid.

For an example of how this command is used, see Obtain or renew ticket granting tickets .