SYNOPSIS
       kinit  [-V] [-l lifetime] [-s start_time] [-r renewable_life] [-p | -P]
              [-f | -F] [-a] [-A] [-v] [-R] [-k [-t keytab_file]] [-c
              cache_name] [-S service_name][-T armor_ccache] [-X
              attribute[=value]] [principal]

DESCRIPTION
       kinit obtains and caches an initial ticket-granting ticket for  princi-
       pal.

OPTIONS
       -V     display verbose output.

       -l lifetime
              requests  a  ticket  with  the lifetime lifetime.  The value for
              lifetime must be followed immediately by one  of  the  following
              delimiters:

                 s  seconds
                 m  minutes
                 h  hours
                 d  days

              as  in "kinit -l 90m".  You cannot mix units; a value of `3h30m'
              will result in an error.

              If the -l option is not specified, the default  ticket  lifetime
              (configured by each site) is used.  Specifying a ticket lifetime
              longer than the maximum  ticket  lifetime  (configured  by  each
              site) results in a ticket with the maximum lifetime.

       -s start_time
              requests  a  postdated  ticket,  valid  starting  at start_time.
              Postdated tickets are issued with the invalid flag set, and need
              to be fed back to the kdc before use.

       -r renewable_life
              requests  renewable  tickets,  with  a  total lifetime of renew-
              able_life.  The duration is in the same format as the -l option,
              with the same delimiters.

       -f     request forwardable tickets.

       -F     do not request forwardable tickets.

       -p     request proxiable tickets.

       -P     do not request proxiable tickets.

       -a     request tickets with the local address[es].

       -A     request address-less tickets.
              name and location will be used.

       -T armor_ccache
              Specifies the name of a credential cache that already contains a
              ticket.  This ccache will be used to armor  the  request.   Ide-
              ally,  an  attacker  should have to attack both the armor ticket
              and the key of the principal.

       -c cache_name
              use cache_name as the Kerberos 5 credentials (ticket) cache name
              and location; if this option is not used, the default cache name
              and location are used.

              The default credentials cache may vary between systems.  If  the
              KRB5CCNAME  environment  variable  is  set, its value is used to
              name the default ticket cache.  Any  existing  contents  of  the
              cache are destroyed by kinit.

       -S service_name
              specify  an  alternate  service name to use when getting initial
              tickets.

       -X attribute[=value]
              specify a pre-authentication attribute and value to be passed to
              pre-authentication  plugins.  The acceptable attribute and value
              values vary from  pre-authentication  plugin  to  plugin.   This
              option  may  be  specified  multiple  times  to specify multiple
              attributes.  If no value is  specified,  it  is  assumed  to  be
              "yes".

              The following attributes are recognized by the OpenSSL pkinit
              pre-authentication mechanism:
                 X509_user_identity=value
                    specify where to find user's X509 identity information
                 X509_anchors=value
                    specify where to find trusted X509 anchor information
                 flag_RSA_PROTOCOL[=yes]
                    specify use of RSA, rather than the default Diffie-Hellman protocol


ENVIRONMENT
       Kinit uses the following environment variables:

       KRB5CCNAME      Location  of the Kerberos 5 credentials (ticket) cache.

FILES
       /tmp/krb5cc_[uid]  default location of  Kerberos  5  credentials  cache
                          ([uid] is the decimal UID of the user).

       /etc/krb5.keytab   default location for the local host's keytab file.

SEE ALSO

Man(1) output converted with man2html