problem with SASL authentication and Kerberos

[Jeffrey Layton <jtlayton@poochiereds.net>]

I have a rather odd situation with OpenLDAP, GSSAPI, and SASL. I
recently changed my Kerberos KDC from MIT kerberos to Heimdal, and at
the same time, changed my Kerberos realm name. Prior to this I had
everything working fine.

I've got things working, mostly, but seem to be having a problem with
getting the OpenLDAP client tools to authenticate. This may be more of a
SASL problem, but I'm not certain.

In any case, since the changes above, I run kinit to get a kerberos
ticket. When I run klist I see something like below:

% klist
Credentials cache: FILE:/tmp/krb5cc_1000
        Principal: username@NEWREALM
 
  Issued           Expires          Principal
Apr  7 09:06:19  Apr  7 19:06:19  krbtgt/NEWREALM@NEWREALM
 
   V4-ticket file: /tmp/tkt1000
klist: No ticket file (tf_util)

This all looks like it should, but when I now run an ldapsearch, I get
the following error:

% ldapsearch
SASL/GSSAPI authentication started
ldap_sasl_interactive_bind_s: Local error (82)
        additional info: SASL(-1): generic failure: GSSAPI Error: 
Miscellaneous failure (see text) (Server (krbtgt/OLDREALM@NEWREALM)
unknown)

So, it looks like it's trying to do some sort of cross-realm
authentication. My question is why? At what point does OpenLDAP (or
SASL) construct the krbtgt/OLDREALM principal above.

I've looked at everything I can think of, and can't figure out where
it's picking up the references to OLDREALM. Can anyone shed some light
on how the above krbtgt/OLDREALM principal name is constructed?

Thanks,
Jeff