FreeIPA was the nicest way yet that I've seen to do this, it just worked!
Here's some old DNS records that were setup for autodiscovery, nothing too special but I'm keeping them.
_kerberos-master._tcp.maestrale 86400 IN SRV 0 100 88 maestrale.meidokon.net. _kerberos-master._udp.maestrale 86400 IN SRV 0 100 88 maestrale.meidokon.net. _kerberos._tcp.maestrale 86400 IN SRV 0 100 88 maestrale.meidokon.net. _kerberos._udp.maestrale 86400 IN SRV 0 100 88 maestrale.meidokon.net. _kerberos.maestrale 86400 IN TXT "MAESTRALE.MEIDOKON.NET" _kpasswd._tcp.maestrale 86400 IN SRV 0 100 464 maestrale.meidokon.net. _kpasswd._udp.maestrale 86400 IN SRV 0 100 464 maestrale.meidokon.net. _ldap._tcp.maestrale 86400 IN SRV 0 100 389 maestrale.meidokon.net. _ntp._udp.maestrale 86400 IN SRV 0 100 123 maestrale.meidokon.net.
Consider trying to do all this again, but host it locally and add Kerberos usage to it: https://medium.com/@vikramaroskar/getting-started-with-65711be52918