here's the final procedure you should follow (for installing service "SERVICE" (mysql) on host "HOST" (deleuze)):

1. create local user SERVICE in /etc/passwd:

2. create Kerberos principal:

      kadmin.local -q "addprinc -policy service -randkey SERVICE/HOST"

3. export user's keys to /etc/keytabs/SERVICE.HOST:

      kadmin.local -q "ktadd -k /etc/keytabs/SERVICE.HOST SERVICE/HOST"

4. create OpenAFS user SERVICE.HOST

      pts cu SERVICE.HOST.hcoop.net

5. create OpenAFS group "SERVICE" if it doesn't exist, and add

      pts cg SERVICE

6. modify service's init script in /etc/init.d/ in the following way:

        start-stop-daemon --start --pidfile $PIDFILE \
            -c SERVICE:SERVICE \
            --exec /usr/bin/k5start -- -U -b -f /etc/keytabs/SERVICE.`hostname` \
            -K 300 -t -p $PIDFILE \
            <The original start command>

          start-stop-daemon --start --pidfile /var/run/SERVICE/k5start-SERVICE.pid \
             -c SERVICE:SERVICE \
             --exec /usr/bin/k5start -- -U -b -K 300 -t -p /var/run/SERVICE/k5start-SERVICE.pid \
             -f /etc/keytabs/SERVICE.`hostname`
          sleep 2

         start-stop-daemon --stop --pidfile /var/run/SERVICE/k5start-SERVICE.pid
         rm -f /var/run/SERVICE/k5start-SERVICE.pid

7. You give permissions in AFS space to group "SERVICE", or to user "SERVICE.HOST"