When Kerberos requests a ticket to begin authentication, it always resolves a CNAME to its corresponding A record; Kerberos libraries never use a CNAME to request a ticket. This means that when you create service or host principals you need to use the host A record. Consider the following zone file entry:

CNAME www.example.com -> A name web-01.example.com

If you use the following command to connect to the host via SSH, and want GSSAPI authentication:

$ ssh www.example.com

it will actually request a ticket for host/web-01.example.com@EXAMPLE.COM

This is the service principal that you must use to obtain and save tickets in /etc/krb5.keytab for this host.