adcli update adding FQDN entries to keytab from not joined domain
I migrate a machine from domain subdomain.example.com to example.com. Both trust each other but they do not belong to the same forest. I'm using adcli-0.9.0+git.0.1b152803
As long as mymachine entry exists inside subdomain.example.com AD, adcli is adding host\mymachine.subdomain.example.com to my keytab (although those entries are not really valid and colide with subdomain.example.com REALM).
# adcli update --domain=subdomain.example.com
I needed to remove mymachine object from subdomain.example.com AD in order to adcli correctly fail to update keytab.
Also, it seems that testjoin does not check if the machine is really joined to the target domain or if it is from a trusted domain. Both are sucessfully validated joins:
# adcli testjoin --domain=example.com # adcli testjoin --domain=subdomain.example.com
Even after I removed the machine account. It should have failed even before I removed the object.