com.ibm.security.krb5.internal.tools Class Kinit

Kinit tool for obtaining Kerberos v5 tickets.

java.lang.Object
|
+--com.ibm.security.krb5.internal.tools.Kinit

public class Kinit
extends java.lang.Object

Kinit tool for obtaining Kerberos v5 tickets.

Constructor summary

Kinit(java.lang.String[] args)
Constructs a new Kinit object.

Method summary

static void

main(java.lang.String[] args)
The main method is used to accept user command line input for ticket request.

Methods inherited from class java.lang.Object

equals, getClass, hashCode, notify, notifyAll, toString, wait, wait, wait

Constructor detail

Kinit

public Kinit(java.lang.String[] args)
      throws java.io.IOException,
             RealmException,
             KrbException

Constructs a new Kinit object.

Parameters:
args - array of ticket request options. Available options are: -f, -F, -p, -P, -c, -k, principal, password.
Throws:

    java.io.IOException - if an I/O error occurs.
    RealmException - if the Realm could not be instantiated.
    KrbException - if error occurs during Kerberos operation.

Method detail

main

public static void main(java.lang.String[] args)

The main method is used to accept user command line input for ticket request.

Usage: java com.ibm.security.krb5.tools.Kinit [-f] [-F] [-p] [-P] [-k] [-c cache name] [principal] [password]
  • -f forwardable
  • -F not forwardable
  • -p proxiable
  • -P not proxiable
  • -c cache name (i.e., FILE:d:\temp\mykrb5cc)
  • -k use keytab
  • -t keytab file name
  • principal the principal name (i.e., qwedf qwedf@IBM.COM)
  • password the principal's Kerberos password

Use java com.ibm.security.krb5.tools.Kinit -help to bring up help menu.

We currently only support file-based credentials cache. By default, a cache file named krb5cc_{user.name} would be generated at {user.home} directory to store the ticket obtained from KDC. For instance, on Windows NT, it could be c:\winnt\profiles\qwedf\krb5cc_qwedf, in which qwedf is the {user.name}, and c:\winnt\profile\qwedf is the {user.home}. {user.home} is obtained by Kerberos from Java system property "user.home". If in some case {user.home} is null (which barely happens), the cache file would be stored in the current directory that the program is running from. {user.name} is operating system's login username. It could be different from user's principal name. One user could have multiple principal names, but the primary principal of the credentials cache could only be one, which means one cache file could only store tickets for one specific user principal. If the user switches the principal name at the next Kinit, the cache file generated for the new ticket would overwrite the old cache file by default. To avoid overwriting, you need to specify a different directory or different cache file name when you request a new ticket.

Cache file location

There are several ways to define user specific cache file name and location, they are listed as follows in the order that Kerberos searches for:
  1. -c option. Use java com.ibm.security.krb5.tools.Kinit -c FILE:<user specific directory and file name>. "FILE:" is the prefix to identify the credentials cache type. The default is file-based type.
  2. Set Java system property "KRB5CCNAME" by using -DKRB5CCNAME=FILE:<user specific directory and file name> during runtime.
  3. Set environment variable "KRB5CCNAME" at command prompt before the runtime. Different operating system has different way to set environment variables. For example, Windows uses set KRB5CCNAME=FILE:<user specific directory and file name>, while UNIX uses export KRB5CCNAME=FILE:<user specific directory and file name>. Note that Kerberos relies on system specific command to retrieve environment variable. The command used on UNIX is "/usr/bin/env".

KRB5CCNAME is case sensitive and is all upper case.

If KRB5CCNAME is not set as described above, a default cache file is used. The default cache is located in the following order:
  1. /tmp/krb5cc_<uid> on Unix platforms, where <uid> is the user id of the user running the Kinit JVM
  2. <user.home>/krb5cc_<user.name>, where <user.home> and <user.name> are the Java user.home and user.name properties, respectively
  3. <user.home>/krb5cc (if <user.name> cannot be obtained from the JVM)

KDC Communication Timeout

Kinit communicates with the Key Distribution Center (KDC) to acquire a ticket-granting ticket, that is, the credential. This communication can be set to timeout if the KDC does not respond within a certain period. The timeout period can be set (in milliseconds) in the Kerberos configuration file in the libdefaults stanza (to be applicable to all KDCs) or in individual KDC stanzas. The default timeout value is 30 seconds.

Parent topic: Principals and credentials