diff --git a/certidude/auth.py b/certidude/auth.py
index 5a2c60b..a2a7919 100644
--- a/certidude/auth.py
+++ b/certidude/auth.py
@@ -1,7 +1,6 @@
 
 import click
 import falcon
-import kerberos # If this fails pip install kerberos
 import logging
 import os
 import re
@@ -13,6 +12,7 @@ from certidude import config, const
 logger = logging.getLogger("api")
 
 if "kerberos" in config.AUTHENTICATION_BACKENDS:
+    import kerberos # If this fails pip install kerberos
     ktname = os.getenv("KRB5_KTNAME")
 
     if not ktname:
diff --git a/certidude/cli.py b/certidude/cli.py
index 61bb77f..94f63f1 100755
--- a/certidude/cli.py
+++ b/certidude/cli.py
@@ -1174,10 +1174,11 @@ def certidude_serve(port, listen):
     from certidude import config
 
     # Fetch UID, GID of certidude user
-    import pwd
-    _, _, uid, gid, gecos, root, shell = pwd.getpwnam("certidude")
-    restricted_groups = []
-    restricted_groups.append(gid)
+    if os.getuid() == 0:
+        import pwd
+        _, _, uid, gid, gecos, root, shell = pwd.getpwnam("certidude")
+        restricted_groups = []
+        restricted_groups.append(gid)
 
     """
     Spawn signer process