While working on something else recently, I got a hunch for what might have been happening here. I had configured syncrepl on this server to use GSSAPI (saslmech=GSSAPI) to authenticate to its provider server. In this role, slapd ignores the keytab file and behaves like an ordinary GSSAPI client. It just calls whatever GSSAPI functions provided by the available library. I'm guessing that library consulted /run/.heim_org.h5l.kcm-socket as one of the places to check for cached credentials.
While working on something else recently, I got a hunch for what might have been happening here. I had configured syncrepl on this server to use GSSAPI (saslmech=GSSAPI) to authenticate to its provider server. In this role, slapd ignores the keytab file and behaves like an ordinary GSSAPI client. It just calls whatever GSSAPI functions provided by the available library. I'm guessing that library consulted /run/.heim_ org.h5l. kcm-socket as one of the places to check for cached credentials.