AD Kerberos working–SSO to AFP not working

I am administering an XServe running OS X Server 10.4.11, bound to our Active Directory domain, and I am trying to get Kerberos single sign-on working against its AFP and SMB services. SSO was working when I inherited the system, but I turned it off Kerberos authentication at Apple support's request while trying to fix major authentication problems caused by the 10.4.11 upgrade and have not been able to get SSO working since. Users can log into the AFP service when authentication is set to Standard, but not when it is set to Kerberos. What puzzles me is that Kerberos authentication to our Active Directory server seems to be working. I can issue kinit someaduser from a test user Mac and get the appropriate password request, and the Kerberos app shows that the AD user has been granted a krbtgt ticket. Apple support suggested that there may be duplicate keys in the keytab file and suggested I try the procedure outlined in support # 107702. The output from my kutil is: ktutil: read_kt /etc/krb5.keytab ktutil: list slot KVNO Principal ---- ---- --------------------------------------------------------------------- 1 2 afpserver/xserve02.nourison.com@NOURISON.COM 2 2 afpserver/xserve02.nourison.com@NOURISON.COM 3 2 afpserver/xserve02.nourison.com@NOURISON.COM 4 2 ftp/xserve02.nourison.com@NOURISON.COM 5 2 ftp/xserve02.nourison.com@NOURISON.COM 6 2 ftp/xserve02.nourison.com@NOURISON.COM 7 2 imap/xserve02.nourison.com@NOURISON.COM 8 2 imap/xserve02.nourison.com@NOURISON.COM 9 2 imap/xserve02.nourison.com@NOURISON.COM 10 2 pop/xserve02.nourison.com@NOURISON.COM 11 2 pop/xserve02.nourison.com@NOURISON.COM 12 2 pop/xserve02.nourison.com@NOURISON.COM 13 2 HTTP/xserve02.nourison.com@NOURISON.COM 14 2 HTTP/xserve02.nourison.com@NOURISON.COM 15 2 HTTP/xserve02.nourison.com@NOURISON.COM 16 2 http/xserve02.nourison.com@NOURISON.COM 17 2 http/xserve02.nourison.com@NOURISON.COM 18 2 http/xserve02.nourison.com@NOURISON.COM 19 2 smtp/xserve02.nourison.com@NOURISON.COM 20 2 smtp/xserve02.nourison.com@NOURISON.COM 21 2 smtp/xserve02.nourison.com@NOURISON.COM 22 2 host/xserve02.nourison.com@NOURISON.COM 23 2 host/xserve02.nourison.com@NOURISON.COM 24 2 host/xserve02.nourison.com@NOURISON.COM 25 2 cifs/xserve02.nourison.com@NOURISON.COM 26 2 cifs/xserve02.nourison.com@NOURISON.COM 27 2 cifs/xserve02.nourison.com@NOURISON.COM 28 2 xmpp/xserve02.nourison.com@NOURISON.COM 29 2 xmpp/xserve02.nourison.com@NOURISON.COM 30 2 xmpp/xserve02.nourison.com@NOURISON.COM 31 2 ipp/xserve02.nourison.com@NOURISON.COM 32 2 ipp/xserve02.nourison.com@NOURISON.COM 33 2 ipp/xserve02.nourison.com@NOURISON.COM 34 2 vpn/xserve02.nourison.com@NOURISON.COM 35 2 vpn/xserve02.nourison.com@NOURISON.COM 36 2 vpn/xserve02.nourison.com@NOURISON.COM 37 2 xgrid/xserve02.nourison.com@NOURISON.COM 38 2 xgrid/xserve02.nourison.com@NOURISON.COM 39 2 xgrid/xserve02.nourison.com@NOURISON.COM 40 2 xserve02$@NOURISON.COM 41 2 xserve02$@NOURISON.COM 42 2 xserve02$@NOURISON.COM ktutil: ------------ So it looks like I do have duplicates. Should recreate the keytab file as directed, supplying my realm, ladap-admin and password, or is there other troubleshooting steps I should try first? Many thanks for your help, --Carney Mimms