[Samba] Samba with Mit-krb5, update ddns fails

[luckydog xf]

hi,
  I built samba v4.7.0 with Mit-krb5-1.15.2-x86-64( and also  tried with
Mit-krb5-1.15.1-x86-86), everything works fine.

 But when client windows7 joins AD, a new DNS A record should be added into
DNS(Bind), but it fails.

I test via administrator and its ticket.
====================================
[root at pdc samba]# klist
Ticket cache: FILE:/tmp/krb5cc_0
Default principal: administrator at AD.PTHL.HK

Valid starting       Expires              Service principal
09/29/2017 16:05:25  09/30/2017 02:05:25  krbtgt/AD.PTHL.HK at AD.PTHL.HK
        renew until 09/30/2017 16:05:15
09/29/2017 16:05:37  09/30/2017 02:05:25  DNS/pdc.ad.pthl.hk at AD.PTHL.HK
        renew until 09/30/2017 16:05:15
=====================================

and run
=================================
nsupdate -g -d -L 9 -v<< UPDATE
server pdc.ad.pthl.hk
realm AD.PTHL.HK <http://ad.pthl.hk/>
update add test.ad.pthl.hk 3600 A 172.16.232.199
send
UPDATE

========================

Here is /var/log/message:

Sep 29 16:34:42 pdc named[1332]: samba_dlz: starting transaction on zone
ad.pthl.hk
Sep 29 16:34:42 pdc named[1332]: samba_dlz: GSS server Update(krb5)(1)
Update failed: Unspecified GSS failure.  Minor code may provide more
information: Request is a replay
Sep 29 16:34:42 pdc named[1332]: samba_dlz: spnego update failed
Sep 29 16:34:42 pdc named[1332]: client 172.16.232.204#43318/key
administrator\@AD.PTHL.HK <http://ad.pthl.hk/>: updating zone '
ad.pthl.hk/NONE': update failed: rejected by secure update (REFUSED)
Sep 29 16:34:42 pdc named[1332]: samba_dlz: cancelling transaction on zone
ad.pthl.hk

=================================================

The same thing is done without any error by Samba V4.7.0 with build-in
Heimedal-Krb5. So I guess there is something wrong with samba and mit-krb5.

Can someone offer me any suggestion?