>>In case you're wondering .... for users that want this at our site, we
>>give them a special "cron" instance (kenh/cron in V5 format, kenh.cron in
>>V4 format) and let the user add the cron instance to the appropriate ACLs
>>in AFS. Since that special cron user has restricted priviledges (they
>>can't use it for interactive login by default), I'm confortable with
>>that tradeoff. But since we use Kerberos 5 with AFS, we use Kerberos 5
>>tools for that, so that won't help you.
>
>Hmmph. So what do your cron users do when they want to write cron jobs
>that modify files in AFS? Trust all their fellow cron users?
The keytab file is protected via Unix permissions; cron jobs that run
under other user's IDs can't read the keytab.
--Ken
