The keytab creation path assumes connection to AD (which is not the case when joining offline). I think we need to move the keytab creation to the provision step, not the the requestodj step.
We connect to AD to check if the account has additional SPNs specified during keytab generation, we should just skip that step and generate the default once using the machine account password. Either the SPNs are part of the blob and we check check there to create additional once or we can't ...
https://gitlab.com/samba-team/samba/-/merge_requests/1999 has several changes to how we create keytabs ...
net offlinejoin code is safe from samba-4.21 (https://gitlab.com/samba-team/samba/-/merge_requests/1999) - libnet_join_create_keytab() no longer calls ads_keytab_create_default(r->in.ads) possibly with r->in.ads being NULL - it calls sync_pw2keytabs() and depending on new smb.conf option `sync machine password to keytab` can be configured - not to create keytab: sync machine password to keytab = disabled` - not to talk to DC: sync machine password to keytab = /path/to/keytab:account_name:machine_password (note: there is no sync_etypes, sync_kvno and no sync_spns)