[Samba] Alternate to 'net ads keytab'?

[NP Samba Lists]

Hello,

We're currently binding hosts to a Windows 2000 domain through a
third-party product (that also supports Kerberos/NFSv4) but we also
have a need to have other hosts grab their credentials from a Windows
KDC for NFSv4 access.  While we don't intend to bind these systems to
AD, we do have the requirement to pull their SPNs from AD and place
them in /etc/krb5.keytab.  Note that ktpass.exe is not an option here
and I suspect there's another and simpler way that I'm just missing
here.

So, my question is: if a system has *not* been joined to the domain
with 'net ads join' and has already been "pre-staged" in AD as a
user/computer account with the desired SPNs by a Windows admin, can I
just use Samba 'net ads keytab' to build /etc/krb5.keytab on the
system without joining the system to the domain?  Or is there another
way to build /etc/krb5.keytab from SPNs in AD?  I know I can grab the
kvno from AD but that's only marginally helpful 'cause I also need the
shared secrets I'd assume.

Please let me know your suggestions and what I might be missing.

-- 
NP
"You will probably find that this hot mix will probably sell by the
bucket load. I suggest yo...