Created
March 8, 2019 10:41
-
-
Save tspspi/64ee304bc634587c216d298e3e80db8d to your computer and use it in GitHub Desktop.
Kerberos ticket renewal for all cache files on a machine
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
#!/bin/sh | |
# This script automatically renews renewable tickets | |
# of all users on a given machine (to prevent timeout | |
# for long running tasks of logged in users). | |
# It also removes expires tickets from cache files | |
: ${RENEWAL_THREASHOLD:=3600} | |
: ${VERBOSE:=0} | |
: ${LOGFILE:=/var/log/krb5renew.log} | |
: ${NO:=0} | |
logerror() | |
{ | |
echo "${1}" >> ${LOGFILE} | |
} | |
logdebug() | |
{ | |
if [ ${VERBOSE} -gt 0 ]; then | |
echo "${1}" >> ${LOGFILE} | |
fi | |
} | |
logdebug "Kerberos renewal run at `date`" | |
if [ ${NO} -gt 0 ]; then | |
logdebug "Not doing anything" | |
fi | |
# Get every cache file | |
for CACHE_FILE in `find /tmp -type f -maxdepth 1 -name 'krb5cc*'`; do | |
# First get owner name and group name | |
OWNER=`ls -l ${CACHE_FILE} | awk '{print $3}'` | |
GROUP=`ls -l ${CACHE_FILE} | awk '{print $4}'` | |
# Determine expiration timestamp of ticket granting ticket | |
# in cache file as well as current system timestamp | |
EXPIRE_TIME_STRING=`klist -c ${CACHE_FILE} | grep krbtgt | awk '{print $3, $1, $2, $4}'` | |
EXPIRE_TIMESTAMP=`date -j -f "%H:%M:%S %b %e %Y" "${EXPIRE_TIME_STRING}" +%s` | |
CURRENT_TIMESTAMP=`date +%s` | |
# Show some debug information | |
logdebug " Renewal for ${OWNER}:${GROUP} in ${CACHE_FILE}" | |
logdebug " Ticket expiry: ${EXPIRE_TIME_STRING}" | |
logdebug " Ticket expire time: ${EXPIRE_TIMESTAMP}" | |
logdebug " Current timestamp: ${CURRENT_TIMESTAMP}" | |
logdebug " Ticket is valid for the next `expr ${EXPIRE_TIMESTAMP} - ${CURRENT_TIMESTAMP}` seconds" | |
# Check if the ticket has already expired | |
if [ ${CURRENT_TIMESTAMP} -ge ${EXPIRE_TIMESTAMP} ]; then | |
# Ticket has already expired. We will destroy the ticket store | |
logdebug " Cleaning expired (at ${EXPIRE_TIME_STRING}) for ${OWNER}:${GROUP} in ${CACHE_FILE}" | |
if [ ${NO} -eq 0 ]; then | |
sudo -u ${OWNER} kdestroy -c ${CACHE_FILE} > /dev/null | |
fi | |
elif [ `expr ${EXPIRE_TIMESTAMP} - ${CURRENT_TIMESTAMP}` -le ${RENEWAL_THREASHOLD} ]; then | |
# Ticket will expire in the next moments. We will try to renew the ticket | |
logdebug " Ticket at ${CACHE_FILE} for ${OWNER}:${GROUP} will expire in `expr ${EXPIRE_TIMESTAMP} - ${CURRENT_TIMESTAMP}` seconds. Trying renew." | |
if [ ${NO} -eq 0 ]; then | |
sudo -u ${OWNER} kinit -R -c ${CACHE_FILE} > /dev/null | |
fi | |
if [ $? -ne 0 ]; then | |
logerror " Failed to renew ${CACHE_FILE} for ${OWNER}:${GROUP}" | |
else | |
logdebug " Renewed tickets for ${OWNER}:${GROUP} at ${CACHE_FILE}" | |
fi | |
else | |
# In any other case we do not touch the cachefile | |
logdebug " Not touching ticket. Valid for `expr ${EXPIRE_TIMESTAMP} - ${CURRENT_TIMESTAMP}` seconds" | |
fi | |
done | |
logdebug "" | |
logdebug "" |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment