The keytab creation path assumes connection to AD (which is not the case when joining offline). I think we need to move the keytab creation to the provision step, not the the requestodj step.
We connect to AD to check if the account has additional SPNs specified during keytab generation, we should just skip that step and generate the default once using the machine account password. Either the SPNs are part of the blob and we check check there to create additional once or we can't ...
https://gitlab.com/samba-team/samba/-/merge_requests/1999 has several changes to how we create keytabs ...