I've joined a Linux machine (tested with client Samba3 and Samba4) to a Samba4 DC, with the 'kerberos method = system keytab' option set to get a keytab (tested with 'secrets and keytab' as well). I can confirm the keytab is valid, as I can `kinit -k HOSTNAME$` then access shares, GSSAPI HTTP sites etc. However, running `nsupdate -g` fails with 'TSIG error with server: tsig verify failure' then 'update failed: SERVFAIL'.
I can prevent the SERVFAIL by setting 'allow dns updates = nonsecure', but this seems highly insecure since it allows any client to update any DNS record. This options also does not prevent the TSIG error, although the DNS update still succeeds.
This is the nsupdate query being used:
update delete client in A
update add client 900 in A 192.0.2.2
*** This bug has been marked as a duplicate of bug 11520 ***