Following the above, here's the complete, "expanded" series of events that take place in a typical remote shell session:
- You log in by providing your Unix username and password
You authenticate to Kerberos and obtain the TGT by running kinit. (Verify with klist -5).
You use the TGT to obtain AFS "token" by running aklog. (Verify with tokens).
You access files in the AFS space. Actual access privileges are determined by the combination of the token you are holding and the access control lists (ACLs) set on a directory. (List access rules with fs la DIRECTORY).
Interactive SSH process
Our SSH service is configured in such a way that your password is, in fact, the secret Kerberos key. So when you log in over SSH, steps 1 to 3 above are performed for you automatically and you can use AFS right away.
Non-interactive (Unattended) Processes
When a script is started in your Unix name by Cron, At or any other delayed/controlled-execution facility, no Kerberos ticket (or AFS token) is obtained automatically. Part of the reason lies in the fact that Kerberos' security model makes it almost impossible - even for root users - to authenticate as yourself if the password is not provided. (Where in Unix we would use "sudo" to easily impersonate any user, here it is impossible).
So the way to obtain Kerberos ticket and AFS token from unattended processes will be explained.