Although I specified in slapd.conf on the slave servers:
moduleload /opt/openldap-2.3.39/lib/smbk5pwd.la
I omitted:
overlay smbk5pwd
I'm guessing slapd never passed credentials to KDC, hence the (49) error code.
1 more question, how does the smbk5pwd module handle a Kerberos password that is expired? Is there a specific error code? I suppose I could expire one then try it.
2 days of wrestling with this, finally got it to work.