I have a systemd service that calls a webservice to perform some maintenance periodically (every minute). The service looks like:
[Service] Type=oneshot ExecStart=/usr/bin/kinit -kt user.keytab user@DOMAIN ExecStart=/usr/bin/curl --tlsv1.2 --cacert cert.pem --negotiate --user user: --url https://website/maintenance
now this destroy and reinitializes my kerberos ticket every time. the kinit can take up to 2-3 min.
I would like to avoid that step and only kinit if needed. any ideas?
Advertisement
Answer
After researching a bit more, I realized having logic in systemd service didn’t seem like a good idea. So I decided to go with the suggestion by Elliott Frisch and create a script for it:
#!/bin/bash
# check if ticket is present and not expired
if [[ $(klist -l | awk 'tolower($0) ~ /user/ && tolower($0) !~ /expired/') ]]; then
echo "using ticket cache"
else
echo "no cache authentication for user, kinit needed"
/usr/bin/kinit -kt /user.keytab user@DOMAIN
fi
/usr/bin/curl --tlsv1.2 --cacert cert.pem --negotiate --user user: --url https://website/maintenance
I am then calling this script in my systemd service