Auto renew the Kerberos ticket

Question

I had to use Kerberos authentication for the first time, it kinda works, but I feel like missing a lot of understanding what is going on and how to cook it properly.

Basically, what I need is my Python script to run every couple of hours and send a request to a remote web server using domain account in MS AD environment.

The following code provides me with the ready to go session instance:

from requests import Session
import gssapi
from requests_gssapi import HTTPSPNEGOAuth

session = Session()
session.auth = HTTPSPNEGOAuth(mech=gssapi.mechs.Mechanism.from_sasl_name("SPNEGO"))

The script was added to the crontab of a user in a linux box and kinit was used to obtain a ticket-granting ticket:

kinit -kt ~/ad_user.keytab ad_user@DOMAIN.COM

But after a while it all stopped because of the expired ticket. The solution was simple: adding the kinit to the crontab to run every 8 hours solved the issue.

I'm wondering if there is a better and more proper way to achieve the same? If I don't want/need to create a principal for the server in the AD, but simply want some code to always have a valid ticket - can I avoid having a dedicated task in users' crontab?

Answer 1

Why don't you initiate the ticket cache directly in your code? This might help be more transparent that your job relies on a kerberos login and where it's located. (In 5 years when you come back to this code it will be hard to remember and this might save you some grief later.)

It will also help to ensure that someone can't accidentally disable your job by removing a cron job.

kinit from python script using keytab

I would do this in every script you require authentication to reduce external dependencies.