samba - Sep 2013 - Samba 4 "TKEY is unacceptable" driving me NUTS!

I've installed Samba 4.09 on ubuntu with bind 9.8.1-P1, the former compiled
from git source and the latter installed from apt-get. I'm migrating from an
existing Windows 2008 SBS domain controller that I want to retire (and be
Windows free on the server side), and have followed the instructions on the
Samba wiki for setting up Bind and migrating.

When I run a samba_dnsupate -verbose -all-names as per the wiki, all updates
result in a "dns_tkey_negotiategss: TKEY is unacceptable". Syslog
produces the following:

Sep  6 12:21:32 newdc samba[7735]: [2013/09/06 12:21:32.189272,  0]
../source4/dsdb/dns/dns_update.c:294(dnsupdate_nameupdate_done)
Sep  6 12:21:32 newdc samba[7735]:   ../source4/dsdb/dns/dns_update.c:294:
Failed DNS update - NT_STATUS_IO_TIMEOUT
Sep  6 12:23:29 newdc named[7690]: samba b9_putrr: unhandled record type 0

The same TKEY error occurred when I attempt a manual nsupdate. What's odd is
that the updates actually appear in the Windows DNS manager when I use nsupdate
or samba-tool to add entries. This works for both the new samba DC and the
existing windows DC. I was going to chalk this up to gremlins and move on with
life, but when I attempt to transfer or seize the naming role, from either samba
or the existing Windows DC, I get:

sudo /usr/local/samba/bin/samba-tool fsmo transfer --role=naming -Uadministrator
ERROR(ldb): uncaught exception - Failed FSMO transfer: WERR_GENERAL_FAILURE
  File
"/usr/local/samba/lib/python2.7/site-packages/samba/netcmd/__init__.py",
line 175, in _run
    return self.run(*args, **kwargs)
  File
"/usr/local/samba/lib/python2.7/site-packages/samba/netcmd/fsmo.py",
line 268, in run
    transfer_role(self.outf, role, samdb)
  File
"/usr/local/samba/lib/python2.7/site-packages/samba/netcmd/fsmo.py",
line 53, in transfer_role
    samdb.modify(m)

I believe these are related, but I cannot get the TKEY error resolved and have
attempted every trick I've been able to find on this mailing list. I've
tried the following based on days of googling:


  1.  Verified that apparmor isn't causing problems by setting the following
in it's config:

  # Samba 4 support
  /usr/local/samba/private/** rkw,
  /usr/local/samba/private/dns.keytab rk,
  /usr/local/samba/private/dns/** rkw,
  /etc/krb5.conf r,
  /usr/local/samba/etc/smb.conf r,

  #Samba 4 BIND libraries
  /usr/local/samba/lib/bind9/dlz_bind9.so rm,
  /usr/local/samba/lib/** rm,
  /usr/lib/x86_64-linux-gnu/ldb/modules/ldb/** rm,

  # with libdlz_bind9, named needs to access /var/tmp/DNS-${HOSTNAME}_xxx ticke$
  /var/tmp/** krw,
  /tmp/** krw,

2. Regenerated the dns.keytab
3. Ensured that the new DC is listed as the SOA record in the DNS for
mydomain.local
4. Added the requested config to my named.com:

tkey-gssapi-keytab "/usr/local/samba/private/dns.keytab";
#tried with and without the line below, no difference
        tkey-domain "MYDOMAIN.LOCAL";
5. Attempted to transfer and seize roles from both Windows and Samba

I've run out of ideas here, and would appreciate any help or additional
things to attempt. If I cannot seize the naming role, shutting down the windows
box results in syslog being flooded with "Can't contact
OLDDC.mydomain.local"-type errors. I want to rid the domain of all memories
of SBS so I'm worried that not migrating the naming role will keep some
dependency in place.

Thanks for any help!

Kind Regards,

Pat