8.4 to 9.1 Upgrade Kerberos Auth Stops Working "Wrong principal in request"

I have Kerberos Authentication working for PostgreSQL 8.4 on Debian
Squeeze, against a Windows 2000 Server Domain. I tried upgrading some
test servers to Debian Wheezy which upgrades PostgreSQL to 9.1, but
Kerberos authentication breaks with the "Wrong principal in request" error.

These servers ultimately use Apache2/mod-auth-kerb/php5-cgi to do SSO in
a Windows web browser and that gets passed to PostgreSQL, but I have the
issue with psql as well and that is where I normally start
troubleshooting. Mod-Auth-Kerb in Apache2 continues to authenticate and
work after the upgrade, only PostgreSQL stops working.

Here is everything I've looked at and the results I get - I am baffled
on why this stopped working with 9.1, my config is the same, hostnames,
DNS, clocks, etc. look good and nothing changed there. Below is from a
fresh, clean install of Debian Wheezy/ PostgreSQL 9.1 on a new test VM
and I still get the error. If anyone sees something I am doing wrong or
something I missed and should be looking into, your advice would be
greatly appreciated.

Thanks,
Josh

IN /etc/postgresql/9.1/main/postgresql.conf
krb_server_keyfile = '/etc/postgresql/9.1/main/ss-sv-tmp40_pg.keytab'

IN /etc/postgresql/9.1/main/pg_hba.conf
host all all 10.203.105.96 255.255.255.255 krb5
krb_server_hostname=ss-sv-tmp40.mydomain.local

root(at)ss-sv-tmp40:~# hostname --fqdn
ss-sv-tmp40.mydomain.local

root(at)ss-sv-tmp40:~# cat /etc/hosts
127.0.0.1 localhost
10.203.105.96 ss-sv-tmp40.mydomain.local ss-sv-tmp40

root(at)ss-sv-tmp40:~# klist -ek /etc/postgresql/9.1/main/ss-sv-tmp40_pg.keytab
Keytab name: FILE:/etc/postgresql/9.1/main/ss-sv-tmp40_pg.keytab
KVNO Principal
----
--------------------------------------------------------------------------
1 postgres/ss-sv-tmp40(dot)mydomain(dot)local(at)MYDOMAIN(dot)LOCAL (des-cbc-md5)

jdt(at)ss-sv-tmp40:~$ kinit jdt(at)MYDOMAIN(dot)LOCAL
Password for jdt(at)MYDOMAIN(dot)LOCAL:
jdt(at)ss-sv-tmp40:~$ klist -e
Ticket cache: FILE:/tmp/krb5cc_1000
Default principal: jdt(at)MYDOMAIN(dot)LOCAL

Valid starting Expires Service principal
31/05/2013 07:36 31/05/2013 15:36 krbtgt/MYDOMAIN(dot)LOCAL(at)MYDOMAIN(dot)LOCAL
renew until 31/05/2013 15:36, Etype (skey, tkt): arcfour-hmac,
arcfour-hmac

jdt(at)ss-sv-tmp40:~$ psql -h ss-sv-tmp40.mydomain.local -U jdt
psql: Kerberos 5 authentication rejected: Wrong principal in request
jdt(at)ss-sv-tmp40:~$ klist -e
Ticket cache: FILE:/tmp/krb5cc_1000
Default principal: jdt(at)MYDOMAIN(dot)LOCAL

Valid starting Expires Service principal
31/05/2013 07:36 31/05/2013 15:36 krbtgt/MYDOMAIN(dot)LOCAL(at)MYDOMAIN(dot)LOCAL
renew until 31/05/2013 15:36, Etype (skey, tkt): arcfour-hmac,
arcfour-hmac
31/05/2013 07:38 31/05/2013 15:36 postgres/ss-sv-tmp40.mydomain.local@
renew until 31/05/2013 15:36, Etype (skey, tkt): des-cbc-crc,
des-cbc-crc
31/05/2013 07:38 31/05/2013 15:36
postgres/ss-sv-tmp40(dot)mydomain(dot)local(at)MYDOMAIN(dot)LOCAL
renew until 31/05/2013 15:36, Etype (skey, tkt): des-cbc-crc,
des-cbc-crc

root(at)ss-sv-tmp40:~# tail /var/log/postgresql/postgresql-9.1-main.log
2013-05-31 07:38:07 EDT LOG: Kerberos recvauth returned error -1765328240
postgres: Wrong principal in request from krb5_recvauth
2013-05-31 07:38:07 EDT FATAL: Kerberos 5 authentication failed for
user "jdt"

root(at)ss-sv-tmp40:~# cat /etc/krb5.conf
[libdefaults]
default_realm = MYDOMAIN.LOCAL
allow_weak_crypto = true
<snip>