to ge kinit working you need to install krb5-workstation(Centos and RedHat), and make sure that you have updated your /etc/krb5.conf (should have your KDC server Realm - best to copy from the cluster )
on your second question:
Kerberos ticket will have your identity hence, you don't need again to make two way ssl ( -k option will use simple method for curl)
on the other note, if you want to go with user name and password (LDAP/file-based provider), token can be obtained using following command.
Then that token can only be used to access NiFi end-points on nifi-node1 only.
You would need to obtain a different token for node2, node3, etc...
Also keep in mind that NIFI will only continue to accept a token for the configured expiration time. Default is 12 hours as you see in the kerberos-provider configuration. After expiration, a new token will be needed.