After applying 10.4.7 Server update, single sign-on stops working on OD Rep

Hi All... Well, I'm fresh off the AFP won't start bug in 10.4.6. Now that this bug is fixed in 10.4.7, we have a new problem. It appears that on our OD Replica, single sign-on doesn't work for AFP mounts through the Apple-K method (user home directories work just fine). If a user wishes to mount an AFP share using Apple-K, he/she must re-authenticate a second time. What's more, the user MUST use his/her SHORT name to authenticate, or else the server rejects the attempt. We tried demoting the OD Replica and then re-promoting it, but this did not solve the issue. The logon issue appears to affect 10.3 and 10.4 clients. I believe that this might be a problem with the kerberized AFP (that is, it's not kerberized but should be). Any ideas on how to fix this?