Better system keytab checking for client

certidude/cli.py

@@ -138,7 +138,9 @@ def certidude_request(fork, renew):
             endpoint_revocations_path = "/var/lib/certidude/%s/ca_crl.pem" % authority
         # TODO: Create directories automatically
 
+        system_keytab_required = False
         if clients.get(authority, "trigger") == "domain joined":
+            system_keytab_required = True
             if not os.path.exists("/etc/krb5.keytab"):
                 continue
         elif clients.get(authority, "trigger") != "interface up":
@@ -173,6 +175,7 @@ def certidude_request(fork, renew):
             try:
                 certidude_request_certificate(
                     authority,
+                    system_keytab_required,
                     endpoint_key_path,
                     endpoint_request_path,
                     endpoint_certificate_path,

certidude/helpers.py

@@ -26,7 +26,7 @@ def selinux_fixup(path):
     cmd = "chcon", "--type=home_cert_t", path
     subprocess.call(cmd)
 
-def certidude_request_certificate(server, key_path, request_path, certificate_path, authority_path, revocations_path, common_name, autosign=False, wait=False, bundle=False, renew=False, insecure=False):
+def certidude_request_certificate(server, system_keytab_required, key_path, request_path, certificate_path, authority_path, revocations_path, common_name, autosign=False, wait=False, bundle=False, renew=False, insecure=False):
     """
     Exchange CSR for certificate using Certidude HTTP API server
     """
@@ -189,7 +189,7 @@ def certidude_request_certificate(server, key_path, request_path, certificate_pa
                 return
 
     # If machine is joined to domain attempt to present machine credentials for authentication
-    if os.path.exists("/etc/krb5.keytab"):
+    if system_keytab_required:
         os.environ["KRB5CCNAME"]="/tmp/ca.ticket"
         # If Samba configuration exists assume NetBIOS name was used in keytab
         if os.path.exists("/etc/samba/smb.conf"):