samba - Sep 2013 - BIND9_DLZ disallows ddns updates

Version 4.2.0pre1-GIT-20999fc
openSUSE BIND9.9.3

Hi
We're getting refusal of ddns updates using nsupdate from a client
sending the updates from sssd:

2013-09-14T22:53:36.517230+02:00 hh16 named[11055]: samba_dlz: starting
transaction on zone hh3.site
2013-09-14T22:53:36.522244+02:00 hh16 named[11055]: samba_dlz:
disallowing update of signer=CATRAL\$\@HH3.SITE name=catral.hh3.site
type=A error=insufficient access rights
2013-09-14T22:53:36.522283+02:00 hh16 named[11055]: client
192.168.1.21#40836/key CATRAL\$\@HH3.SITE: updating zone
'hh3.site/NONE': update failed: rejected by secure update (REFUSED)
2013-09-14T22:53:36.522310+02:00 hh16 named[11055]: samba_dlz:
cancelling transaction on zone hh3.site

CATRAL is a Linux client which is joined successfully to the domain.
CATRAL$ is the machine key created in /etc/krb5.keytab when we joined
the domain.

/etc/named.conf

options {
        directory "/var/lib/named";
        managed-keys-directory "/var/lib/named/dyn/";
        forwarders { 192.168.1.1; };
        notify no;
        tkey-gssapi-keytab "/usr/local/samba/private/dns.keytab";
};
include  "/usr/local/samba/private/named.conf";

It starts fine:

2013-09-14T23:12:39.763122+02:00 hh16 named[11513]: Loading 'AD DNS
Zone' using driver dlopen
2013-09-14T23:12:40.165286+02:00 hh16 named[11513]: samba_dlz: started
for DN DC=hh3,DC=site
2013-09-14T23:12:40.166355+02:00 hh16 named[11513]: samba_dlz: starting
configure
2013-09-14T23:12:40.166993+02:00 hh16 named[11513]: samba_dlz:
configured writeable zone '1.168.192.in-addr.arpa'
2013-09-14T23:12:40.168235+02:00 hh16 named[11513]: samba_dlz:
configured writeable zone 'hh3.site'
2013-09-14T23:12:40.169545+02:00 hh16 named[11513]: samba_dlz:
configured writeable zone '_msdcs.hh3.site'

smb.conf:
[global]
        workgroup = HH3
        realm = HH3.SITE
        netbios name = HH16
        server role = active directory domain controller
        server services = s3fs, rpc, nbt, wrepl, ldap, cldap, kdc,
drepl, winbbind, ntp_signd, kcc, dnsupdate
        idmap_ldb:use rfc2307 = yes

[netlogon]
        path = /usr/local/samba/var/locks/sysvol/hh3.site/scripts
        read only = No

[sysvol]
        path = /usr/local/samba/var/locks/sysvol
        read only = No

What's missing?

Thanks,
Steve