There's a pretty common bug in OS X Server 10.5 (okay, I know, there are a lot, but this is a pretty big one) where the KerberosPrincipal gets corrupt when promoting to an OpenDirectory Server, or possibly when archiving & restoring an OpenDirectory server.

If you try to log into an OD server via AFP, and standard authentication works but Kerberos produces an error -5002, your Kerberos principal is probably corrupt.

On your server, look in /Library/Preferences/com.AppleFileServer.plist. About 3/4 of the way down, you should see this:

<key>kerberosPrincipal</key>
<string>afpserver/machine/domain.com@MACHINE.DOMAIN.COM</string>

if it looks more like this…

<key>kerberosPrincipal</key>
<string>afpserver/LKDC:SHA1.C4F4D444F403E645
6C75B96F80E8E2A8F12DA2EE@LKDC:SHA1.C4F4D444F403E64
56C75B96F80E8E2A8F12DA2EE
</string>

…Then you have a problem.

Try this fix, courtesy of Laurent Pertois. Stop AFP, then in the Terminal:

sudo defaults write /Library/Preferences/com.apple.AppleFileServer 
kerberosPrincipal 
"afpserver/myserver.mydomain.mytld@MYSERVER.MYDOMAIN.MYTLD"

Note the quotes, and all on one line in case it doesn't display that way in your browser. There's a space before and after kerberosPrincipal. Then restart the AFP service, delete any tickets on your client, and try to log in.