FreeBSD 11.0, samba45, DLZ, BIND9.11.2, no auto DNS update

The following has been driving me crazy.

I have a 11.0-RELEASE-p12, samba45 from pkg, BIND-9.11.2_2 from ports with GSSAPI_BASE, DLZ_FILESYSTEM and no PYTHON support and the following config files (relevant bits only):

BIND is running outside chroot!

        default = FILE:/var/log/krb5libs.log
        kdc = FILE:/var/log/krb5kdc.log
        admin_server = FILE:/var/log/kadmind.log

        default_realm = SAMDOM.EXAMPLE.COM
        dns_lookup_realm = false
        dns_lookup_kdc = true
        ticket_lifetime = 48h
        renew_lifetime = 7d
        forwardable = true
#        default_keytab_name = FILE:/var/db/samba4/private/dns.keytab

        kdc =
        admin_server =


tkey-gssapi-keytab "/etc/krb5.keytab";
        tkey-domain "SAMDOM.EXAMPLE.COM";

dlz "AD DNS Zone" {
        database "dlopen /usr/local/lib/shared-modules/bind9/ -d 3";

/etc/krb5.keytab is a copy of /var/db/samba4/private/dns.keytab and has perm 640 and root:bind ownership.

        netbios name = SAMBA
        realm = SAMDOM.EXAMPLE.COM
        server services = s3fs, rpc, nbt, wrepl, ldap, cldap, kdc, drepl, winbindd, ntp_signd, kcc, dnsupdate
        workgroup = MYWRKGRP
        server role = active directory domain controller
        idmap_ldb:use rfc2307 = yes
        nsupdate command = /usr/local/bin/samba_dnsupdate -g
        interfaces = 192.168.x.1
        bind interfaces only = yes
        ea support = yes
        domain master = yes
        preferred master = yes

        tkey-gssapi-credential "DNS/";
        tkey-domain "SAMDOM.EXAMPLE.COM";

[ 1:40am] /usr/ports/dns/bind911/>klist
Credentials cache: FILE:/tmp/krb5cc_0
        Principal: administrator@SAMDOM.EXAMPLE.COM

  Issued                Expires               Principal
Nov  4 01:02:54 2017  Nov  4 11:02:54 2017  krbtgt/SAMDOM.EXAMPLE.COM@SAMDOM.EXAMPLE.COM

Now, the problem:
Samba will not update BIND when I join a new PC to the domain and I get is this:
04-Nov-2017 01:10:39.220 client @0x29104000 using view '_default'
04-Nov-2017 01:10:39.220 client @0x29104000 request has valid signature: administrator\@SAMDOM.EXAMPLE.COM
04-Nov-2017 01:10:39.220 client @0x29104000 administrator\@SAMDOM.EXAMPLE.COM: recursion available
04-Nov-2017 01:10:39.220 client @0x29104000 administrator\@SAMDOM.EXAMPLE.COM: update
04-Nov-2017 01:10:39.220 samba_dlz: starting transaction on zone
04-Nov-2017 01:10:39.229 samba_dlz: GSS server Update(krb5)(1) Update failed:  An unsupported mechanism was requested: unknown mech-code 0 for mech 1 2 840 113554 1 2 2
04-Nov-2017 01:10:39.229 samba_dlz: SPNEGO(gssapi_krb5) NEG_TOKEN_INIT failed: NT_STATUS_LOGON_FAILURE
04-Nov-2017 01:10:39.229 samba_dlz: SPNEGO login failed: NT_STATUS_LOGON_FAILURE
04-Nov-2017 01:10:39.230 samba_dlz: spnego update failed
04-Nov-2017 01:10:39.230 client @0x29104000 administrator\@SAMDOM.EXAMPLE.COM: updating zone '': update failed: rejected by secure update (REFUSED)
04-Nov-2017 01:10:39.230 samba_dlz: cancelling transaction on zone

I was only able to find the same issue on FreeBSD and not any Linux distro. Is this something specific to samba and the OS or am I missing something?

The following work perfectly fine and so do the shares and net join
smbclient -L \\ -U userX
smbclient // -Uadministrator

The only issue is the auto (or lack thereof) DNS creation.