leave kerberos AFS tokens behind for root

To access the AFS home directory on a VM where we login as root and have no AFS tokens, we have to export the AFS tokens for the user whose directories we want to access. e.g. if test-user wants to access his AFS home as root from a VM, I must:

1. Get kerberos tickets for my username
2. Forward my tickets to the VM by logging in
3. Note the tickets cache filename
4. Logout of the VM
5. Get non forwardable root tickets 
6. Login to the VM as root
7. Export the tickets cache "export KRB5CCNAME=/tmp/filename" from 3
8. Get new AFS tokens with afslog
9. Now the access to the AFS cell of test-user should be enabled

This also shows that your kerberos tickets can be misused if they are not destroyed before exit.

Kerberos Generate Keytab File

Keytab is a file containing pairs of kerberos usernames and their respective keys which are generated from the user's passwords. It lets the user to generate tickets without having to type his password. It is particularly useful to allow scripts to get kerberos tickets without writing the password in plain text anywhere. Keytab files must be used very carefully because anybody who can read the file can use it to generate tickets.

Generate keytab file
ktutil -k name.keytab add -p username@realm.bla.bla -e arcfour-hmac-md5 -e des-cbc-md5 -e des-cbc-md4 -e des-cbc-crc -e des3-cbc-sha1 -e aes128-cts-hmac-sha1-96

To use the tickets in keytab file
kinit -kt name.keytab username@REALM.BLA

See the tickets in keytab file
ktutil -k name.keytab list

Keys inside a keytab file will become invalid if the user changes his password.