Well, the error came from cyrus-sasl rather than OpenLDAP. This would
indicate to me that the not authorized came from the KDC. Have you
checked to ensure the keys in the keytab file haven't expired inside the
KDC?
That's exactly what I suspected. We're using AD for our Kerberos Client,
and one of our AD admins insists that it couldn't be expired credentials.
I did use a utility called msktutil to make sure the kerberos tickets in
/etc/krb5.keytab were up to date, but I'm still getting that error. Any
ideas on how to prove/disprove what you suggest, so I can go back to my
AD admins with more information?