We a have a univention setup with machine A (dc master), machine B (dc backup) and machine C (dc slave) working with Linux workstations (CentOS, Fedora and Ubuntu) and Windows Workstations (Windows 10).
From the start we always had problems with the authentication with kerberos and samba fileservers (which runs on CentOS + Samba Domain Member). Usualy if we remove the machine from domain (using realm) and adding again (using realm again), it does solve the problem and everything starts working again, we have to do this periodically.
After some time (usually 7-10 days, normally when we run the procedure), we start to see this log on messages on the CentOS machine which act’s as Samba Fileserver:
**** LOGS LOGS LOGS ****
We usually do the access test on Linux client machine on cmd line: “smbclient -k \\fs2.domain.tld\share”
We have found that sometimes the access it’s not accepted and if we reboot the dc backup and the dc slave, it forces the resyncronization of the AD with the dc master, but, altough we get access to the share, we still get those ldap keytab access problems until we rejoin the machine to the domain (for more 7 days … 
).
UCS Version -> 4.3-4 errata481
Server -> CentOS 7 64bit
Samba -> 4.8.3
We need some help on direction to solve this issue, any suggestion it’s welcome on any direction to solve this.