[SSSD-users] realm join and net join incompatibilities

In tracing through problems with realm join (in a Samba/ctdb cluster), I was noticing that realm join implicitly calls 'net ads join' (which should be a good thing) but it passes '-s' with a temporary smb.conf to 'net ads join' (which is a bad thing since it leaves out clustering=yes and the include=registry). What I was noticing was that to get sssd AND Samba to work after 'realm join' you had to run 'net ads join' (explicitly) on at least one node of the cluster (but that is risky because then sssd doesn't know about the keytab update that 'net ads join' just did). If you don't run 'net ads join' after 'realm join' - Samba will fail because it doesn't think it is joined to a domain (so session setups to it will get a 'NO_LOGON_SERVER' error, and 'net ads testjoin' will show it is not joined as well) - presumably because the 'net ads join' that realmd does implicitly on 'realm join' has the wrong smb.conf passed in to it (with no clustering). Comparing traces of the two joins - the main difference I see is that there are no ctdb related events logged in the 'realm join' implicitly called 'net ads join' (and secrets.tdb is missing the entry for the domain on all nodes). Any thoughts of 1) how to force 'realm join' to use a better smb.conf rather than the temporary one it chooses during 'net ads join' or 2) how to safely do a 'net ads join' after 'realm join' (and not confuse sssd)?