kinit -- A Kerberos client

Subject: kinit -- A Kerberos client
Author: eLDAP
In response to: ktab + kinit + klist -- Kerberos key and ticket cache management tools
Posted on: 03/12/2013 11:43:45 PM

kinit is used to authenticate user to KDC and obtain and cache Kerberos Ticket-Granting Ticket(TGT).

Syntax

kinit [-fp] [-c <cache_name>] [-k] [-t <keytab_filename>] [<principal>] [<password>] [-help]

Examples:

Authenticate user test_user with <password>

C:\temp>kinit test_user@TEST_REALM.COM
Password for test_user@TEST_REALM.COM:<password> 
New ticket is stored in cache file C:\Users\test_user\krb5cc_test_user

Authenticate user test_user with default keytab

C:\temp>kinit test_user@TEST_REALM.COM -k
New ticket is stored in cache file C:\Users\test_user\krb5cc_test_user

Authenticate user test_user with specified keytab

C:\temp>kinit test_user@TEST_REALM.COM -k -t FILE:C:\temp\test_user.keytab
New ticket is stored in cache file C:\Users\test_user\krb5cc_test_user

Note:

By default, on the Windows platform a cache file named <USER_HOME>\krb5cc_<USER_NAME> will be generated.

By default, for all Unix platforms a cache file named /tmp/krb5cc_<uid> is generated.

C:\Windows\krb5.ini needs to be configured properly for target KDC.

>
> On 03/12/2013 11:40:35 PM eLDAP wrote:

ktab -- A keytab management tool

ktab allows the user to manage the principal names and service keys stored in a local keytab. A keytab is a host's copy of its own keylist, which is analogous to a user's password.

Syntax
List:
ktab -l [-k <keytab_name>]

Add:
ktab -a <principal_name> [<password>] [-k <keytab_name>]

Delete:
ktab -d <principal_name> [-k <keytab_name>]

Examples:
C:\temp>ktab -a test_user@TEST_REALM.COM -k test_user.keytab Password for test_user@TEST_REALM.COM:<password> Done! Service key for test_user@TEST_REALM.COM is saved in test_user.keytab

C:\temp>ktab -l -k test_user.keytab Keytab name: C:\temp\test_user.keytab KVNO Principal -------------------------------------------------------------------------- 1 test_user@TEST_REALM.COM 1 test_user@TEST_REALM.COM 1 test_user@TEST_REALM.COM 1 test_user@TEST_REALM.COM

Note:

By default, the keytab name is retrieved from the Kerberos configuration file C:\Windows\krb5.ini from entry default_keytab_name = FILE:<path-to-file>, if you do not specify it with -k;

If the keytab name is not specifed in the Kerberos configuration file, the name is assumed to be <USER_HOME>\krb5.keytab.

There is no need for KDC to authenticate the user during the process of generating keytab.

References:

Next Post: klist -- A KeyTab and TGT-cache list tool eLDAP 03/12/2013 11:47:19 PM
Previous Post: ktab + kinit + klist -- Kerberos key and ticket cache management tools eLDAP 03/12/2013 11:40:35 PM
Next Topic: Kerberos Error Showcase and Troubleshooting eLDAP 03/12/2013 11:54:22 PM
Previous Topic: ADLDS -- How to disable SSL secure connection requirement for password operation eLDAP 12/20/2012 05:05:38 PM
Index: by Date
Index: by Topic