I have a systemd service that calls a webservice to perform some maintenance periodically (every minute). The service looks like:
[Service]
Type=oneshot
ExecStart=/usr/bin/kinit -kt user.keytab user@DOMAIN
ExecStart=/usr/bin/curl --tlsv1.2 --cacert cert.pem --negotiate --user user: --url https://website/maintenance
now this destroy and reinitializes my kerberos ticket every time. the kinit can take up to 2-3 min.
I would like to avoid that step and only kinit if needed. any ideas?
Try the HTTP request, and use the status code to decide whether you need to try kinit. You could grep the output of curl like this:
curl -s -i http://www.example.com | grep "HTTP/" | tail -1
If it's "HTTP/1.1 401 Unauthorized", run kinit and try again. (See here for how to parse out just the numeric part of the response if you prefer)
The "tail -1" part is to make sure you only get the last code; because of the negotiate protocol, you will typically get multiple lines from the grep command, like this:
HTTP/1.1 401 Unauthorized
HTTP/1.1 200 OK
The first one is the initial challenge from the server; the second one is the final response code.
After researching a bit more, I realized having logic in systemd service didn't seem like a good idea. So I decided to go with the suggestion by Elliott Frisch and create a script for it:
#!/bin/bash
# check if ticket is present and not expired
if [[ $(klist -l | awk 'tolower($0) ~ /user/ && tolower($0) !~ /expired/') ]]; then
echo "using ticket cache"
else
echo "no cache authentication for user, kinit needed"
/usr/bin/kinit -kt /user.keytab user@DOMAIN
fi
/usr/bin/curl --tlsv1.2 --cacert cert.pem --negotiate --user user: --url https://website/maintenance
I am then calling this script in my systemd service