launchd bash kinit not retrieving kerberos tickets

Question

I'm trying to automate my kerberos ticket renewal. The script below runs perfectly in terminal but however fails in Automator or Launchd. Although the expect command returns without error no new ticket is obtained. running klist will return an empty list

Any help appreciated

#!/bin/sh
expect -c 'spawn /usr/bin/kinit USER@DOMAIN; expect "password:" { send "<password>" ; interact} '
if [ "$?" = "0" ]; then
echo "obtained kerberos token"
else
echo "couldn't obtain kerberos token"
exit 1;
fi
exit 0

running in launchd the following output is logged

USER@DOMAIN's password:
obtained kerberos token

---

solved by adding some timeout after the send command

expect -c 'spawn /usr/bin/kinit USER@DOMAIN; expect "password:" { send "<password>" ; interact}; sleep 5 '

---

note: as Samson mentions in his comment, having the password in a script file is a bad solution. I used it for testing only. using key tab is the right way to do this in kerberos.

Answer 1

Stuffing a hard-coded, clear-text password to a command prompt is an evil thing to do. Why use Kerberos authentication in the first place??

The expected way to create a Kerberos TGT in the background is to use a keytab (i.e. a file containing an encrypted "hash" of the password).

1. check your krb5.conf for the list of expected/supported encryptions (e.g. aes256-cts-hmac-sha1-96, rc4-hmac)
2. create the keytab with the ktutil utility (read a tutorial first, the commands are far from intuitive)
3. test with kinit -kt /some/path/to/mykt.keytab
4. restrict privileges on the keytab file because it would allow anyone to log in with your account

Answer 2

adding a timeout to the expect command worked for me