Obtaining an initial ticket from the key distribution center

To use Kerberos authentication, you must generate an initial ticket called Ticket Granted Ticket (TGT) from the key distribution center. The procedure to obtain this ticket depends on the Kerberos libraries being used. For more information, refer to the vendor documentation.

StepsGenerating TGTs for the MIT Kerberos client library

  1. Start the kinit utility at the command line:

    % kinit
    
  2. Enter the kinit user name, such as your_name@YOUR.REALM.

  3. Enter the password for your_name@YOUR.REALM, such as my_password. When you enter your password, the kinit utility submits a request to the Authentication Server for a TGT.

    The password is used to compute a key, which in turn is used to decrypt part of the response. The response contains the confirmation of the request, as well as the session key. If you entered your password correctly, you now have a TGT.

  4. Verify that you have a TGT by entering the following at the command line:

    % klist
    

    The results of the klist command should be:

    Ticket cache: /var/tmp/krb5cc_1234
    
    Default principal: your_name@YOUR.REALM
    
    Valid starting       Expires              Service principal
    
    24-Jul-95 12:58:02   24-Jul-95 20:58:15   krbtgt/YOUR.REALM@YOUR.REALM
    

Explanation of results

Ticket cache The ticket cache field tells you which file contains your credentials cache.

Default principal The default principal is the login of the person who owns the TGT (in this case, you).

Valid starting/Expires/Service principal The remainder of the output is a list of your existing tickets. Because this is the first ticket you have requested, there is only one ticket listed. The service principal (krbtgt/YOUR.REALM@YOUR.REALM) shows that this ticket is a TGT. Note that this ticket is good for approximately 8 hours.