OpenSuse 11.3 nfsv4: client to nfs4 server (OpsenSuse11.0) with kerberos does not work!

After installing OpenSuse 11.3 on a client I am trying to mount the home-share via nfsv4/krb5 on the OpenSuse 11.0 server.
Userlogin via ldap/krb5 works fine. Kerberos login via kinit works also.
Only mounting the share with sec=krb5 gives the error message
mount.nfs4: access denied by server while mounting server.domain:/home
I get a machine credential
Mounting without sec=krb5 works fine.
GSS/krb5 works fine with all other clients under OpenSuse 11.0, 11.1 and 11.2.

Is there a incompatibility between krb5 on 11.3 and 11.0? Ha anyone experienced the same problems?
Any help is appreciated.

Emil

Some additional infos:
While calling mount I get the following output from rc.gssd -frrrvvv:

Warning: rpcsec_gss library does not support setting debug level
beginning poll
handling krb5 upcall
Full hostname for ‘server.domain’ is ‘server.domain’
Full hostname for ‘client.domain’ is ‘client.domain’
Success getting keytab entry for ‘root/client.domain@DOMAIN’
Successfully obtained machine credentials for principal ‘root/client.domain@DOMAIN’ stored in ccache ‘FILE:/tmp/krb5cc_machine_DOMAIN’
INFO: Credentials in CC ‘FILE:/tmp/krb5cc_machine_DOMAIN’ are good until 1280277201
using FILE:/tmp/krb5cc_machine_DOMAIN as credentials cache for machine creds
using environment variable to select krb5 ccache FILE:/tmp/krb5cc_machine_DOMAIN
creating context using fsuid 0 (save_uid 0)
creating tcp client for server server.domain
DEBUG: port already set to 2049
creating context with server nfs@server.domain
**WARNING: Failed to create krb5 context for user with uid 0 for server server.domain
WARNING: Failed to create machine krb5 context with credentials cache FILE:/tmp/krb5cc_machine_DOMAIN for server server.domain
WARNING: Machine cache is prematurely expired or corrupted trying to recreate cache for server server.domain
**Full hostname for ‘server.domain’ is ‘server.domain’
Full hostname for ‘client.domain’ is ‘client.domain’
Success getting keytab entry for ‘root/client.domain@DOMAIN’
Successfully obtained machine credentials for principal ‘root/client.domain@DOMAIN’ stored in ccache ‘FILE:/tmp/krb5cc_machine_DOMAIN’
INFO: Credentials in CC ‘FILE:/tmp/krb5cc_machine_DOMAIN’ are good until 1280277201
using FILE:/tmp/krb5cc_machine_DOMAIN as credentials cache for machine creds
using environment variable to select krb5 ccache FILE:/tmp/krb5cc_machine_DOMAIN
creating context using fsuid 0 (save_uid 0)
creating tcp client for server server.domain
DEBUG: port already set to 2049
creating context with server nfs@server.domain
**WARNING: Failed to create krb5 context for user with uid 0 for server server.domain
WARNING: Failed to create machine krb5 context with credentials cache FILE:/tmp/krb5cc_machine_DOMAIN for server server.domain
WARNING: Failed to create machine krb5 context with any credentials cache for server server.domain
**doing error downcall
destroying client clnt2e

At the same time rpc.svcgssd -frrriiivvv does not output anything.
All firewalls are off in this test…
The same procedure from older clients works fine and produces messages on the server…
The server is only contacted via krb5 but not via gss.

May be this info is helpful.

Emil

Closing my monolog:
according to
Re: cannot mount nfsv4/krb5 with krb51.7, 1.8 and 1.8.1 – Linux NFS
adding to /etc/krb5.conf:
[libdefaults]
allow_weak_crypto = true

solved the incompatibility between krb5 1.8.1 and 1.6.3… by allowing des keys.

Maybe this helps someone else.

Emil