Nothing can authenticate to Kerberos without providing a password/encryption
key. The same holds true for cron jobs.

In practice, you typically have two choices for providing Kerberos
authentication for any program:

  1. A human types in a password on a keyboard.
  2. A password/encryption key is stored somewhere on a machine

Obviously, both of these also apply to cron jobs. So to provide Kerberos
authentication to cron jobs, you would either have to have a human type in a
password at the appropriate time, or store the password/encryption key
somewhere where the cron job could read it.

What I (and others) have done with success is the following:

  1. Create a special "cron" user (possibly username/cron).
  2. Use kadmin to place a keytab for that user on the workstation where you
     are going to use cron.

     kadmin: ktadd -k user.keytab username/cron

  3. Use the -k flag to kinit to get a TGT for that user using the stored
     keytab.

     kinit -k -t user.keytab username/cron

Note that this applies to any sort of unattended programs that you wish to
run, not just cron. Of course, you have to evaluate whether or not this is
acceptable to you; if the machine where you store this principal is
compromised, then this principal is compromised.

As an additional note, if you are just going to be running programs as root,
I would personally use the host principal, since it will likely already be
in place and is already used by other programs that run as root (telnetd,
ftpd, etc).