[Samba] Adding a new DC to an existing Windows domain.

[Jason Michaelson]

My network is set up with bind 9 servers (all Linux) that are separate from
my AD servers, ns-master, ns1, and ns2, with ns-master being the target of
the SOA record for the zones. ns1 and ns2 are joined to my AD domain
running Samba, ns-master is standalone.

I have 2 existing DCs one running Windows 2k3R2 and the other running
Windoes 2k8R2.

I'm looking to add a Samba DC to the domain, and the add works fine, and
the new DC appears correctly in both AD Users and Computer and AD Sites and
Services.

The problem I'm having is that samba_dnsupdate is failing with the
following errors for each attempted record update:

tkey query failed: GSSAPI error: Major = Unspecified GSS failure.  Minor
code may provide more information, Minor = Server not found in Kerberos
database.

If I manually run nsupdate with the tmp file samba_dnsupdate leaves behind
when it fails, the relevant record gets updated appropriately. tcpdump and
Wireshark seem to indicate that the new DC is putting out a Kerberos
TGS-REQ request for a kRB5-NT-PRINCIPAL looking for ns-master's FQDN, after
gathering it from an SOA lookup on its own name.

What sort of configuration would I be missing here that's keeping this from
working correctly? A search on google for the tkey error above doesn't
result in a while lot of hits.

Thansk in advance for any help!

jdm