com.ibm.security.krb5.internal.tools
Class Kinit

java.lang.Object
  extended by com.ibm.security.krb5.internal.tools.Kinit

public class Kinit
extends java.lang.Object

Kinit tool for obtaining Kerberos v5 tickets.

Version:
1.00 12 Apr 2000
Author:
Yanni Zhang

Constructor Summary
Kinit(java.lang.String[] args)
          Constructs a new Kinit object.
 
Method Summary
static void main(java.lang.String[] args)
          The main method is used to accept user command line input for ticket request.
 
Methods inherited from class java.lang.Object
clone, equals, finalize, getClass, hashCode, notify, notifyAll, toString, wait, wait, wait
 

Constructor Detail

Kinit

public Kinit(java.lang.String[] args)
      throws java.io.IOException,
             com.ibm.security.krb5.internal.RealmException,
             com.ibm.security.krb5.KrbException
Constructs a new Kinit object.

Parameters:
args - array of ticket request options. Avaiable options are: -f, -F, -p, -P, -c, principal, password.
Throws:
java.io.IOException - if an I/O error occurs.
com.ibm.security.krb5.internal.RealmException - if the Realm could not be instantiated.
com.ibm.security.krb5.KrbException - if error occurs during Kerberos operation.
Method Detail

main

public static void main(java.lang.String[] args)
The main method is used to accept user command line input for ticket request.

Usage: java [options] com.ibm.security.krb5.internal.tools.Kinit [-A] [-f] [-F] [-p] [-P] [-r] [-R][-c cache name] [-k [-t keytab_file_name]] [principal] [password]

Use java com.ibm.security.krb5.tools.Kinit -help to bring up help menu.

We currently only support file-based credentials cache. By default, a cache file named krb5cc_{user.name} would be generated at {user.home} directory to store the ticket obtained from KDC. For instance, on Windows NT, it could be c:\winnt\profiles\qwedf\krb5cc_qwedf, in which qwedf is the {user.name}, and c:\winnt\profile\qwedf is the {user.home}. {user.home} is obtained by Kerberos from Java system property "user.home". If in some case {user.home} is null (which barely happens), the cache file would be stored in the current directory that the program is running from. {user.name} is operating system's login username. It could be different from user's principal name. One user could have multiple principal names, but the primary principal of the credentials cache could only be one, which means one cache file could only store tickets for one specific user principal. If the user switches the principal name at the next Kinit, the cache file generated for the new ticket would overwrite the old cache file by default. To avoid overwriting, you need to specify a different directory or different cache file name when you request a new ticket.

Cache File Location

There are several ways to define user specific cache file name and location, they are listed as follows in the order that Kerberos searches for:

  1. -c option. Use java com.ibm.security.krb5.tools.Kinit -c FILE:<user specific directory and file name>. "FILE:" is the prefix to identify the credentials cache type. The default is file-based type.
  2. Set Java system property "KRB5CCNAME" by using -DKRB5CCNAME=FILE:<user specific directory and file name> during runtime.

KRB5CCNAME is case sensitive and is all upper case.

If KRB5CCNAME is not set as described above, a default cache file is used. The default cache is located in the following order:

  1. <user.home>/krb5cc_<user.name>, where <user.home> and <user.name> are the Java user.home and user.name properties respectively
  2. <user.home>/krb5cc (if <user.name> cannot be obtained from the JVM).

KDC Communication Timeout

Kinit communicates with the Key Distribution Center (KDC) to acquire a ticktet granting ticket, that is, the credential. This communication can be set to timeout if the KDC does not respond within a certain period. The timeout period can be set (in milliseconds) in the Kerberos configuration file in the libdefaults stanza (to be applicable to all KDCs) or in individual KDC stanzas. The default timeout value is 30 seconds.