Found it. It was selinux related. For some reason allow_gssd_read_tmp was off; running semanage boolean -1 allow_gssd_read_tmp solved it. [As a side note: why is this even tunable? Is there a practical usage mode of rpc.gssd that does not require access to the credential caches?] Thanks again for your help! Tom