NFS mount fails with RPC accept GSS token procedure failed

• ONTAP 9
• NFS
• Kerberos

• NFS mount attempts with `sec=krb5p` fails with :

[root@test-02 etc]# mount -vvvv -t nfs4 -o sec=krb5 10.1.1.51:/test /mnt
mount.nfs4: timeout set for Tue Nov 25 12:56:09
mount.nfs4: trying text-based options 'sec=krb5,vers=4.2,addr=10.1.1.51,clientaddr=192.168.1.2'
mount.nfs4: mount(2): Permission denied
mount.nfs4: trying text-based options 'sec=krb5,vers=4,minorversion=1,addr=10.1.1.51,clientaddr=192.168.1.2'
mount.nfs4: mount(2): Permission denied
mount.nfs4: trying text-based options 'sec=krb5,vers=4,addr=10.1.1.51,clientaddr=192.168.1.2'
mount.nfs4: mount(2): Permission denied

• Error seen in the event logs :

[NODE-01 secd: secd.nfsAuth.problem:error]: vserver (svm1) General NFS authorization problem. Error: RPC accept GSS token procedure failed   
[  1 ms] Acquired NFS service credential for logical interface 1064 (SPN='nfs/nfs.svm.spn@domain.com'). 
**[     2] FAILURE: Failed to accept the context: Unspecified GSS failure.  Minor code may provide more information (minor: Service key not available).

• SECD logs: 

info :  Acquired NFS service credential for logical interface 1064 (SPN='nfs/nfs.svm.spn@domain.com'{ in getCredential() at src/gss/secd_gss_accept_token.cpp:266 }
info :  Permitting NFS Kerberos Enc Type: 'aes256-cts' for logical interface 1064 (SPN='nfs/nfs.svm.spn@domain.com').  { in getNfsAllowableAcceptorEncTypes() at src/gss/secd_gss_accept_token.cpp:150 }
info :  Permitting NFS Kerberos Enc Type: 'aes128-cts' for logical interface 1064 (SPN='nfs/nfs.svm.spn@domain.com').  { in getNfsAllowableAcceptorEncTypes() at src/gss/secd_gss_accept_token.cpp:150 }
info :  [krb5 context 099BC600] Retrieving nfs/nfs.svm.spn@domain.com from SPINKT:kt:N:7:1064 (vno 1, enctype aes256-sha2) with result: -1765328203/Key table entry not found
info :  [krb5 context 099BC600] Failed to decrypt AP-REQ ticket: -1765328339/Service key not available
ERR  :  Failed to accept the context: Unspecified GSS failure.  Minor code may provide more information (minor: Service key not available). { in acceptGssToken() at src/gss/secd_gss_accept_token.cpp:921 }
debug:  SecD RPC Server sending reply to RPC 451: secd_rpc_accept_gss_token  { in secdSendRpcResponse() at src/server/secd_rpc_server.cpp:2259 }
ERR  :  RESULT_ERROR_SECLIB_GSSAPI_BAD_CONTEXT:7134 in getFailureCode() at src/utils/secd_thread_task_journal.cpp:348
ALERT:  sending EMS. Logging the RPC to secd.log  { in shouldLogInEms() at src/utils/secd_ems_utils.cpp:263 }
debug:  Logged unhandled NFS auth failure code '7134' to EMS using the EMS_secd_nfsAuth_problem EMS  { in logEmsEventWithJournalForNfsAuthError() at src/utils/secd_ems_utils.cpp:1347 }

• Packet trace extract: 

585   10.1.1.2  10.1.1.51   NFS  V4 NULL Call (Reply In 586)
enc-part
etype: eTYPE-AES256-CTS-HMAC-SHA384-192 (20)
authenticator 
etype: eTYPE-AES256-CTS-HMAC-SHA1-96 (18)