I implemented OD about 6 months ago. The migration went fine and everything was working well including Kerberos. My environment is this: I have a single MAC OS X 10.4.11 XServe in each of 4 offices. The OD Master is at the headquarters, with each remote office -connected with site to site VPN - configured as OD Replica. We've enjoyed single user sign on and afp access to the file servers since the migration. The clients are all Macs running OS X 10.4.x - no other services besides afp are kerberized at this point.
A couple of days ago, one user reported that she was getting a Kerberos password prompt and that each time she entered her password, it failed with a bad password error. She eventually canceled the Kerberos prompt and entered her password in the afp prompt and gained server access.
I confirmed that the same password was used and that it indeed, would not allow access via Kerberos. I destroyed the existing Kerberos ticked and tried again to no avail. I logged in as other users on this machine and Kerberos worked fine. I logged onto other machines as this user with the same failure. I then deleted the ldap user and recreated her account. Since that time, I get the following error when trying to authenticate to Kerberos - "Client not found in Kerberos database"
I then created a new, never before used username in the ldap db and get the same error with that new account. So it would seem that existing users are all still working fine, but new users created are not.
I've looked at the user accounts using dscl and the inspector in Workgroup manager and in both places, it shows that Kerberos v5 is an authentication authority. I've compared the accounts with working ones - I see no differences.
I don't see anything in the kdc logs that look out of place...any suggestions as to what might be going on?