Avoiding kinit when cache still has credentials

Question

I have a systemd service that calls a webservice to perform some maintenance periodically (every minute). The service looks like:

[Service]
Type=oneshot
ExecStart=/usr/bin/kinit -kt user.keytab user@DOMAIN
ExecStart=/usr/bin/curl --tlsv1.2 --cacert cert.pem --negotiate --user user: --url https://website/maintenance

now this destroy and reinitializes my kerberos ticket every time. the kinit can take up to 2-3 min.

I would like to avoid that step and only kinit if needed. any ideas?

Answer 1

Try the HTTP request, and use the status code to decide whether you need to try kinit. You could grep the output of curl like this:

curl -s -i http://www.example.com | grep "HTTP/" | tail -1

If it's "HTTP/1.1 401 Unauthorized", run kinit and try again. (See here for how to parse out just the numeric part of the response if you prefer)

The "tail -1" part is to make sure you only get the last code; because of the negotiate protocol, you will typically get multiple lines from the grep command, like this:

HTTP/1.1 401 Unauthorized
HTTP/1.1 200 OK

The first one is the initial challenge from the server; the second one is the final response code.

Answer 2

After researching a bit more, I realized having logic in systemd service didn't seem like a good idea. So I decided to go with the suggestion by Elliott Frisch and create a script for it:

#!/bin/bash
# check if ticket is present and not expired
if [[ $(klist -l | awk 'tolower($0) ~ /user/ && tolower($0) !~ /expired/') ]]; then
    echo "using ticket cache"
else
    echo "no cache authentication for user, kinit needed"
    /usr/bin/kinit -kt /user.keytab user@DOMAIN
fi
/usr/bin/curl --tlsv1.2 --cacert cert.pem --negotiate --user user: --url https://website/maintenance

I am then calling this script in my systemd service