username@REALM
password --> derives key
host/fqdnhostname@REALM
key stored in keytab, usually /etc/krb5.keytab
Principal is available systemwide on host
$service/fqdnhostname@REALM
key stored in keytab at service config like /etc/ldap/ds.keytab or sth.
Principal will be loaded and used by service on start
Now you can map multiple levels:
host to service
user to service
service to service
host principals joins the machine to the domain so i can restrict kerberized services to allowed machines. Then i restrict services further to either a valid host principal, a valid user ticket OR a valid clientservice ticket