In a IdM + AD trust setup; has anyone ever had the need to restrict IPA client logins to a specific Active Directory server when using their AD credentials? 

The problem I am having is that the one of my clients has a AD cluster and some of the kdc servers in that cluster have clocks that are not synchronized. Whenever someone tries to log in using their AD account, if they hit a un-synchronized server then they get hit with the "kinit: clock skew too great ..." error. 

Since we don't control the AD server and since they refused to fix their time sync issues, I have been trying to restrict AD logins to a specific kdc server, but have been unable to do it. I have tried to edit the sssd.conf and krb5.conf configuration files, but nothing seems to work.

Any suggestions?

Thanks

Jean Figarella