I've traced an issue that's been plaguing us down to a "simple" problem:
Kerberos tickets are not syncing with OS X Open Directory password changes (on the client or host).
Another way to put this:
Expired/expiring ticket renewal requests are being signed with old keys until the machine is rebooted.
How can I get these back in sync?
A little more info: We see the problem manifest when, after the 10 hour ticket expiration, kcm kicks in and tries (presumably) to renew. It fails due to an incorrect password (key) and subsequently locks the user out after a number of retries (we have max limits set). If we kill the kcm service, no issue. If we kdestroy the tickets manually after a password change, no issue.
We're using OS X 10.9 and 10.10 on the clients and 10.10 on the server.