linuxkerberossystemdmit-kerberos

Avoiding kinit when cache still has credentials


I have a systemd service that calls a webservice to perform some maintenance periodically (every minute). The service looks like:

[Service]
Type=oneshot
ExecStart=/usr/bin/kinit -kt user.keytab user@DOMAIN
ExecStart=/usr/bin/curl --tlsv1.2 --cacert cert.pem --negotiate --user user: --url https://website/maintenance

now this destroy and reinitializes my kerberos ticket every time. the kinit can take up to 2-3 min.

I would like to avoid that step and only kinit if needed. any ideas?


Solution

  • After researching a bit more, I realized having logic in systemd service didn't seem like a good idea. So I decided to go with the suggestion by Elliott Frisch and create a script for it:

    #!/bin/bash
    # check if ticket is present and not expired
    if [[ $(klist -l | awk 'tolower($0) ~ /user/ && tolower($0) !~ /expired/') ]]; then
        echo "using ticket cache"
    else
        echo "no cache authentication for user, kinit needed"
        /usr/bin/kinit -kt /user.keytab user@DOMAIN
    fi
    /usr/bin/curl --tlsv1.2 --cacert cert.pem --negotiate --user user: --url https://website/maintenance
    

    I am then calling this script in my systemd service