There won't be any transparent way of doing this. The host keytab represents a copy of the host secret - a password that is known only to the Kerberos servers (Active Directory Domain Controllers) and the client. Under normal circumstances, the keytab is created when the client is joined to the Domain (at which time the user authenticates to the Domain and creates a new secret for the workstation). Once joined, the machine (by default) updates the secret every 30 days.
The Samba client can generate a keytab, but it does this by authenticating the user account using the 'net join' command. The authenticating user's password is used to create the initial host secret.
Other programs that can "join the domain" from the Linux client, and create an initial secret (and matching keytab file) include Dell Authentication Services (formerly Quest Authentication Services, formerly Vintela Authentication Services, and still mostly known as 'vas'); LikeWise; and Centrify.
To perform the initial join, the client will need to authenticate to the Domain using a domain account authorized to create computer objects, join workstations to the domain, or reset computer account passwords for existing domain members. The user account might be authenticated using a password, or using an existing user keytab file.
The reference implementation, MIT Kerberos, can create keytab files, but as far as I recall cannot create a new computer account on the Domain.
Edit: If your distribution contains 'kclient', that should do what you want; you do still have to embed a credential into your join script to authenticate to the Domain initially. See https://docs.oracle.com/cd/E36784_01/html/E36871/kclient-1m.html and