The behavior you are seeing is a result of the way the Linux client deals with credentials. Once it finds a working credential, it caches it in memory. Even after you kdestroy, your (still valid) credentials are cached by the client.

Quoting from http://www.citi.umich.edu/projects/nfsv4/linux/faq/

The kernel code caches the gssapi context that was negotiated using the Kerberos credentials. Destroying the credentials does not destroy the context in the kernel. We plan to change this behavior when moving to use the new key ring kernel support to store credentials and contexts.

Unfortunately, the client still doesn't use the key ring support.

From the kernel documentation for kernel parameters

nfs.nfs4_disable_idmapping=

[NFSv4] When set to the default of '1', this option ensures that both the RPC level authentication scheme and the NFS level operations agree to use numeric uids/gids if the mount is using the 'sec=sys' security flavour. In effect it is disabling idmapping, which can make migration from legacy NFSv2/v3 systems to NFSv4 easier. Servers that do not support this mode of operation will be autodetected by the client, and it will fall back to using the idmapper. To turn off this behaviour, set the value to '0'.

nfsd.nfs4_disable_idmapping=

[NFSv4] When set to the default of '1', the NFSv4 server will return only numeric uids and gids to clients using auth_sys, and will accept numeric uids and gids from such clients. This is intended to ease migration from NFSv2/v3.

nfs.nfs4_disable_idmapping=1 and nfsd.nfs4_disable_idmapping=1

Disabling the id mapper nfsd.nfs4_disable_idmapping=1 and nfs.nfs4_disable_idmapping=1 on the SERVER and CLIENT resulted in systemd starting up to the user login prompt, with only 1 error:

• Failed to start Remount Root and Kernel File System, which was however resolved by adding modconf to the mkinitcpio hooks; together with block keyboard in an attempt to deal with the other apparent problem:
• the laptop keyboard does not work...

The rpc.idmapd -fvvv did not output any messages.

I am able to login as root using an external USB keyboard, read and create files. I have not done any extensive testing so there could still be problems with this solution.

nfs.nfs4_disable_idmapping=0 and nfsd.nfs4_disable_idmapping=0

It seems that echo "options nfs nfs4_disable_idmapping=0" >> /etc/modprobe.d/nfs.conf (or cat /sys/module/nfsd/parameters/nfs4_disable_idmapping -> N) on the CLIENT did not have any effect.

The CLIENT id mapper was disabled until I explicitly passed the parameter nfs.nfs4_disable_idmapping=0 to the kernel during boot (GRUB).

The rpc.idmapd -fvvv did not output any complaints. On the other hand, it did not print out anything else after establishing the first rpc.idmapd: Server : (user) id "0" -> name "root@localdomain"...

The Wireshark log however no longer records a NFS4ERR_BADOWNER.

Nonetheless, all the systemd startup failures persist...

• Failed to mount POSIX Message Queue File System.
• Failed to start Remount Root and Kernel File System.
• Failed to mount Huge Pages File System.
• Failed to mount Kernel Debug File System.
• Failed to mount Kernel Configuration File System.
• Then ends with Not tainted 4.13.12-1-ARCH #1...

Conclusion

nfs.nfs4_disable_idmapping=0 and nfsd.nfs4_disable_idmapping=0

Save for setting up Kerberos and troubleshooting, I am not sure what to try next. The rpc.idmapd still seems to be unable to map correct permissions, but rpc.idmapd -fvvv no longer outputs any errors...? What to do? The boot errors could perhaps be caused by something else... I dunno...

nfs.nfs4_disable_idmapping=1 and nfsd.nfs4_disable_idmapping=1

Although it works, the approach seems wrong; I am not migrating, and I should be able to set up the system using rpc.idmapd. For now it will have to do; it will probably come back and bite me in the future...