This PR covers a few edge cases that may trip up some users.
First off, we prevent users from simultaneously enabling AD and LDAP directory services. There are very few cases where users actually need to do this. One common example may be FreeIPA + AD in the same environment, but the typical resolution to this configuration need is to create a cross-realm trust between FreeIPA and AD and enable / configure trusted domains in the AD plugin.
Kerberos libraries will let us kinit even if clock offset is larger than 3 minutes, but services behave badly in this situation. This PR makes us try a little harder. If CLDAP ping fails to get us a DC, then we switch to performing normal DNS lookup for a DC. If time offset is too large (or our service account can't be used for netlogon connection), then destroy the service account's kerberos ticket to prevent it from being used by middleware or other processes.