1

Description

I am trying to run a script that run multiple times a script requiring Kerberos. MainScript.sh has a loop where it will launch ScriptUsingKerberos.sh many times over time (more than 600 times per day). Eg:

./MainScript.sh
|-- ScriptUsingKerberos.sh
|-- ScriptUsingKerberos.sh
|-- ...
\-- ScriptUsingKerberos.sh

ScriptUsingKerberos.sh - Part checking my Kerberos ticket validity:

echo " INFO: Checking the validity of your last Kerberos ticket..."
if ! klist 2>&1 | grep -q "${USER_NAME}@${DOMAIN}"
then
    echo "ERROR: User ${USER_NAME} do not match user listed in 'oklist' command, aborting."
    exit 1
fi

aKerberosExpirationDate="$(klist 2>&1 | tr '[:blank:]' ' ' | grep -o '[[:blank:]][0-9][0-9]/[0-9][0-9]/[0-9][0-9] [0-9][0-9]:[0-9][0-9]:[0-9][0-9][[:blank:]][[:blank:]]*oracle' | sed 's/oracle//g' | sed 's/^[[:blank:]]*//g' | sed 's/[[:blank:]]*$//g' | sed -r 's;([0-9][0-9])/([0-9][0-9])/([0-9][0-9]);20\3-\1-\2;g' | while IFS= read -r aLine; do date +%s -d "${aLine}"; done | sort -n | head -n 1)"
aNowDate=$(date +%s)
if [[ -z "${aKerberosExpirationDate}" || ${aKerberosExpirationDate} -le ${aNowDate} ]]
then
    if ! 2>/dev/null 1>&2 kinit "${USER_NAME}@${DOMAIN}" <<< "${USER_PASSWORD}"
    then
        echo "ERROR: Your password in ${FILE_PWD} file seems incorrect or Kerberos token reset failed"
        exit 1
     fi
fi

Working case

So this works perfectly fine. Example of klist working:

Ticket cache: FILE:/tmp/krb5cc_8522420
Default principal: ********@******.***

Valid starting     Expires            Service principal
10/27/21 08:42:08  10/27/21 18:42:08  krbtgt/********@******.***@********@******.***
        renew until 10/28/21 08:42:08
01/01/70 00:00:00  01/01/70 00:00:00  krb5_ccache_conf_data/pa_type/krbtgt\/********@******.***\@********@******.***@X-CACHECONF:
10/27/21 08:42:08  10/27/21 18:42:08  oracle/********@********@******.***
        renew until 10/28/21 08:42:08


Kerberos 4 ticket cache: /tmp/tkt8522420
klist: You have no tickets cached

Here we can see a ticket so I can grep on it to check the valitidy of it

NOT working case

But at some point, after many successful executions, I only get:

Kerberos Utilities for Linux: Version 18.0.0.0.0 - Production on 27-OCT-2021 08:10:17

Copyright (c) 1996, 2017 Oracle.  All rights reserved.

Then I cannot check Kerberos ticket validity and I exit guessing there was an error

Questions

  • Why klist is not displaying any ticket anymore?
  • Is this a normal behavior?
  • Is there a way to continue to display outdated ticket as before with klist?
  • Is any daemon/program that reset Kerberos tickets validity?
user12642493
  • 89
  • 1
  • 9
  • Kerberos tickets have two values that define their lifetime and renewable time. See: https://stackoverflow.com/a/15457265/7939871 Once ticket has expired, it is no longer in the list and you may ask a renewed ticket if renewal period allow it. You could probably have the script store its current ticket in a file with the renewal deadline. On script startup check if it has a saved ticket still valid, or able to be renewed, and if not, request a new one (which mean user re-authenticating). – Léa Gris Oct 27 '21 at 10:50

1 Answers1

1

Why klist is not displaying any ticket anymore?

This actually makes me suspect you have two sets of Kerberos tools – i.e. you have the MIT klist and the Oracle klist (I didn't know that exists!) in different locations.

But you should investigate further: make your scripts log the value of $KRB5CCNAME and $PATH as well as the full path returned by which klist, and see if either of them changes at some point. (For example, maybe your script changes $PATH, and suddenly finds a different 'klist' tool than before, and that other 'klist' uses an incompatible ticket cache format.)

Is there a way to continue to display outdated ticket as before with klist?

It always does. If tickets disappear, it means either that something removed them (and it certainly wasn't klist), or that you're looking at an entirely different credential cache than before.

Is any daemon/program that reset Kerberos tickets validity?

Yes, there are multiple options, although they generally need you to have a keytab rather than a password. (Services, even those acting as clients, typically have keytabs.)

  • Use k5start or krenew from kstart. The former is used to get tickets and launch the client at once (it'll keep renewing tickets as long as the program runs), while the latter can be used to maintain manually-acquired tickets. This is fairly portable; you should be able to install it on any Linux or Unix-like OS.

  • Use a cronjob that calls kinit every 3 hours or so. This works everywhere.

  • Delegate ticket management to gss-proxy. This is Linux-specific.

  • If using MIT Krb5, export KRB5_CLIENT_KTNAME= with the keytab path, and libkrb5 itself will acquire tickets when needed. This needs a fairly recent MIT Krb5 – yours is probably much too old (judging by the fact that it still has Kerberos 4 support).

Oh, and if you choose to use kinit, then it would probably be easier to just ask klist -s whether the tickets are valid or not:

if klist -5 -s; then
    echo "I have a valid TGT, continuing."
    # (Of course, it could be valid for only 5 seconds, but you're currently
    # not checking for that anyway.)
else
    echo "I don't have a valid TGT, trying to get one using a keytab."
    if ! kinit -k -t "$keytab_path"; then
        echo "Failed to get a TGT!"
        exit 1
    fi
fi
user1686
  • 13,155
  • 2
  • 35
  • 54