Comment 2 for bug 1783183

The client.keytab path is standard functionality provided by libkrb5.so in Ubuntu 18.04. Here is the relevant documentation:

http://manpages.ubuntu.com/manpages/bionic/man5/krb5.conf.5.html

       default_client_keytab_name
              This relation specifies the name of the default keytab for obtaining client
              credentials. The default is FILE:/etc/krb5/user/%{euid}/client.keytab. This
              relation is subject to parameter expansion (see below). New in release 1.11.

It gets invoked by slapd when GSSAPI is specified as the sasl mechanism (e.g. with syncrepl). This was added as a feature to libkrb5 to streamline the process of automated authentication, so that people don't have to set up cron jobs to periodically run kinit.

Regarding /tmp/krb5cc_*, that is the standard location for the credential cache file created by the kinit process. In this case, the equivalent of "kinit -k /etc/krb5/user/389/client.keytab" is done by slapd, leading to /tmp/krb5cc_389 being created.