host/*@REALM tickets with ssh, DNS

[Josh Huber]

I've got everything working at this point using the Debian ssh-krb5
packages, libnss-ldap (for user information), and MIT Kerberos 1.2.5
on 4 machines.

I have a few general questions:

1) Here is the output from klist after logging in via ssh.  I have ssh
configured to use Kerberos auth, and this appears to be working fine.
Here is the output from klist on my mail server:

klist: You have no tickets cached
Ticket cache: FILE:/tmp/krb5cc_qKxnke
Default principal: huber at PARADOXICAL.NET

Valid starting     Expires            Service principal
08/09/02 11:00:14  08/09/02 21:00:14  host/mail.paradoxical.net at PARADOXICAL.NET
08/09/02 11:00:14  08/09/02 21:00:14  krbtgt/PARADOXICAL.NET at PARADOXICAL.NET

But -- why do I have a ticket with the host/... principal?  Perhaps
someone could clue me in on this, or help me determine what's wrong
(if anything).

2) I've set up DNS with the various entries needed by Kerberos.  How
much of Kerberos uses this DNS information?  How much can I leave out
of the configuration files on each host?

I'm sure I had another question, but it's eluding me for the moment...

-- 
Josh Huber