Is there a way to tell adcli testjoin what domain to use via the keytab or other means?
I think our site might be somewhat common in that we have an AD domain that differs from our DNS domain slightly.
DNS domain: college.edu
AD domain: ADMIN.COLLEGE.EDU
Using msktutil with --no-reverse-lookups allows me to create a well tailored keytab and principals, but things like 'adcli testjoin' don't work afterward despite all the other trimmings working fine such as SSSD-based auth, kinit of the keytab, etc.
So I guess what I'm trying to work out is how I would explain to adcli to either find or calculate the right domain name from the principals in the keytab, or how to manually specify it somewhere.
Here's an example testjoin operation:
adcli -vvv testjoin
* Found realm in keytab: ADMIN.COLLEGE.EDU
* Found computer name in keytab: BRIGGS
* Found service principal in keytab: host/briggs.college.edu
* Found host qualified name in keytab: briggs.college.edu
* Found service principal in keytab: host/briggs
* Calculated domain name from host fqdn: college.edu
* Calculated computer account name from fqdn: BRIGGS
* Using domain realm: college.edu
* Discovering domain controllers: _ldap._tcp.college.edu
! No LDAP SRV records for domain: _ldap._tcp.college.edu: Name or service not known
! Couldn't find usable domain controller to connect to
adcli: couldn't connect to college.edu domain: Couldn't find usable domain controller to connect to