Authorizationhost: Failed to authenticate user

All other things on the server being fine and dandy, this little error is still there and still driving me nuts. Mostly I'd like to ignore it, but I have a cascade of other problems that all seem to tie back to that first system error on login. This happens for all of my Network Users; it does not prevent login, but there are database crashes for everything that access a database on the server, including Mail, iMessage, Calendars and the like, all sighting the inability to find the homedir!

Eventually it sorts out, but it is a huge time and energy sink during login and I'd like to make it go away.

The first login clue is this:

5/10/13 8:49:57.237 AM authorizationhost[1909]: Failed to authenticate user <user> (error: 9).

After that we have some curious entries from NetAuthSysAgent:

5/10/13 8:50:01.435 AM NetAuthSysAgent[1916]: NAHSelectionAcquireCredential complete: iakerb EB9AEEA136050268471EB2AE4FB3B467 - user: GSSCred: 0x7f9c12b055c0 <MC: iakerb user@WELLKNOWN:COM.APPLE.LKDC>

5/10/13 8:50:01.713 AM NetAuthSysAgent[1916]: NAHSelectionAcquireCredential The operation couldn’t be completed. (com.apple.NetworkAuthenticationHelper error -1765328228 - acquire_kerberos failed user@PRIVATE: -1765328228 - unable to reach any KDC in realm PRIVATE)

And that is where I start to get curious, because the Realm is MyRealm.private, not Private. The ticket viewer and kinit show the correct ticket acquired for user@MyRealm.private, so why does it try to lookup the wrong Realm? These also happen after the failed authorization.

After those messages I get database errors that vary by the day. Today's fun included seven messages of aspd unable to bootstrap basic launch services like server.aps and AOSPushRelay. And after that all the errors look like garbage caused by what happened at the beginning, like every 10 seconds error of

5/10/13 10:02:50.256 AM ocspd[1666]: Error opening DB

So, moving on. The only reason I can think of for the authentication error leads back to the Realm and kerberos issue, even with the valid ticket. Are there any other reasons for an authentication failure? Open directory looks fine, the server join is fine, LDAP services look fine. I am not using an authenticated BIND.

Looking for the Realm config I find that my clients have neither edu.mit.Kerberos in the Preferences nor /etc/krb5.conf. The server has the MIT files, but they are empty. The server also has the /etc/krb5.conf with the sum total of:

[libdefaults]

kdc_timeout=5

According to http://www.h5l.org/manual/HEAD/info/heimdal/Configuration-file.html, the only reason to have the rest of /etc/krb5.conf blank is because the Realm is the same as the domain name AND a DNS service name or CNAME record for kerberos has been defined. Only Server doesn't show any DNS records for Kerberos and I can't find either a SRV or CNAME record using dig, either. http://support.apple.com/kb/ht3394

Any ideas or help appreciated.