Would someone please look at bugzilla linux-nfs org / show_bug.cgi ? id=318.
If I’m logged in a hedrick but current credentials are hedrick.admin, I have a key ring with credentials for both hedrick and hedrick.admin.
If gssd need to recreate its context (e.g. because they credentials have expired) it aquires GSSAPI credentials with NONAME. That will give it hedrick.admin. Later in the code is checks to see if the credentials it has are for hedrick, and fails. This is kind of silly. If you aquire what credentials you want, it will look through the keyring and pick the right ones. So the call to acquire should specify the desired principal.
The bug report gives code to fix it. Because I don’t want to build my own gssd, my patch uses LD_PRELOAD to intercept calls, but the code could be put into the source in the obvious way.