Essentially, we allowed any system administrator to register a principal of the form hostclient/<machine> and then allowed that principal to register any service principal of the form <service>/<machine>. These rules are enforced by using kadmind's ACLs.
We were still using this when I left at the beginning of the year. At that point we were considering using wallet, rather than kadmin to handle to access control, and to restrict the set of service principals that can be created for a machine to the list of services in the configuration database. We had also considered various ways of further automating the creation of the initial hostclient principal, but none of these appeared cost effective for us, given provisioning of new machines generally involved console access anyway.