It seems (at least our own) dns server echos the kerberos AP-REQ inside gssapi and we feed that back into gss_init_sec_context(). In repl_mutual we expect _gsskrb5_decapsulate to check for a TOK_ID = KRB_AP_REP (02 00) pdu or fallback to KRB_ERROR (03 00), but for KRB_AP_REQ (01 00) we get GSS_S_DEFECTIVE_TOKEN and ignore that an call krb5_rd_rep with uninitialized data, which generates ASN1_MISSING_FIELD.
This bug was referenced in samba master: 9b92cbacac11fb64cca2c4770cbdce789525b87a
This bug was referenced in samba v4-20-test: c86e8742373cfa022419de40427dba45239d0ae4
This bug was referenced in samba v4-20-stable (Release samba-4.20.3): c86e8742373cfa022419de40427dba45239d0ae4