Cannot kinit nfs/ principal

I'm trying to mount a NFSv4 share but the mount command cannot get permissions to mount the share. When I try to mount a share I receive the message:

mount.nfs4: mount(2): Permission denied

And if I try to kinit the nfs principal with: kinit -k -t /etc/krb5.keytab nfs/nfshost.domain.com@DOMAIN.COM it returns:

kinit: Client 'nfs/nfshost.domain.com@DOMAIN.COM' not found in Kerberos database while getting initial credentials

Here's all the details on how I'm trying to configure and test the service. All hosts are Debian 12: in the NFS server: /etc/hosts file

127.0.0.1	localhost
172.17.0.10	nfshost.domain.com nfshost
...

/etc/krb5.conf file

[libdefaults]
  dns_lookup_realm = false
  dns_lookup_kdc = false
  default_realm = DOMAIN.COM
  default_keytab_name = FILE:/etc/krb5.keytab
  default_tkt_enctypes = aes256-cts-hmac-sha1-96 aes128-cts-hmac-sha1-96
  default_tgs_enctypes = aes256-cts-hmac-sha1-96 aes128-cts-hmac-sha1-96
  allow_weak_crypto = 0

[realms]
  DOMAIN.COM = {
  kdc = 172.17.0.20
  master_kdc = 172.17.0.20
  default_domain = domain.com
  admin_server = 172.17.0.20
  }

[domain_realm]
domain.com = DOMAIN.COM
.domain.com = DOMAIN.COM

/etc/exports file

/exports         172.17.0.0/16(rw,sync,fsid=0,no_subtree_check,crossmnt,sec=krb5)
/exports/users   172.17.0.0/16(rw,sync,no_subtree_check,sec=krb5)

/etc/idmapd.conf file

[General]
Verbosity = 0
Domain = domain.com

[Mapping]
Nobody-User = nobody
Nobody-Group = nogroup

[Translation]
Method = nsswitch

/etc/default/nfs-kernel-server file

RPCNFSDCOUNT=8
RPCNFSDPRIORITY=0
RPCMOUNTDOPTS="--manage-gids"
NEED_SVCGSSD="yes"
RPCSVCGSSDOPTS=""

/etc/default/nfs-common file

NEED_STATD=no
STATDOPTS=
NEED_IDMAPD=yes
NEED_GSSD=yes

Commands to add the NFS server entry into the domain (AD Samba)

# kdestroy
# kinit administrator
# msktutil delete --computer-name NFSHOST --server 172.17.0.20
# msktutil -c -b "CN=COMPUTERS" -s HOST/nfshost.domain.com -h nfshost -k /etc/krb5.keytab --computer-name NFSHOST --server 172.17.0.20 --dont-expire-password --verbose --enctypes 28

in AD (Samba at 172.17.0.20): add the following SPN's to the NFS server host added:

# samba-tool spn add nfs/nfshost NFSHOST$
# samba-tool spn add nfs/nfshost.domain.com NFSHOST$
# samba-tool spn add RestrictedKrbHost/nfshost NFSHOST$
# samba-tool spn add RestrictedKrbHost/nfshost.domain.com NFSHOST$

Check the NFS server host entry with samba-tool computer show nfshost:

dn: CN=NFSHOST,CN=Computers,DC=domain,DC=com
objectClass: top
objectClass: person
objectClass: organizationalPerson
objectClass: user
objectClass: computer
cn: NFSHOST
instanceType: 4
whenCreated: 20230901104446.0Z
uSNCreated: 202585
name: NFSHOST
objectGUID: 305c91e0-328d-47f4-ab30-7a4c0ea951dc
badPwdCount: 0
codePage: 0
countryCode: 0
badPasswordTime: 0
lastLogoff: 0
lastLogon: 0
pwdLastSet: 133380386868301530
primaryGroupID: 515
objectSid: S-1-5-21-2898533208-202842514-1397044296-107323
accountExpires: 9223372036854775807
logonCount: 0
sAMAccountName: NFSHOST$
sAMAccountType: 805306369
objectCategory: CN=Computer,CN=Schema,CN=Configuration,DC=domain,DC=com
isCriticalSystemObject: FALSE
dNSHostName: nfshost.domain.com
msDS-SupportedEncryptionTypes: 28
userAccountControl: 69632
servicePrincipalName: HOST/nfshost.domain.com
servicePrincipalName: host/nfshost
servicePrincipalName: nfs/nfshost
servicePrincipalName: nfs/nfshost.domain.com
servicePrincipalName: RestrictedKrbHost/nfshost
servicePrincipalName: RestrictedKrbHost/nfshost.domain.com
whenChanged: 20230901104626.0Z
uSNChanged: 202594
distinguishedName: CN=NFSHOST,CN=Computers,DC=domain,DC=com

Generate the NFS host keytab:

# samba-tool domain exportkeytab --principal=nfs/nfshost.domain.com keytab.NFSHOST-nfs

Back in the NFS server: Retrieve the generated keytab from the AD:

scp root@172.17.0.20:/root/keytab.NFSHOST-nfs .

Merge it into the /etc/krb5.keytab file:

# ktutil
   rkt /etc/krb5.keytab
   rkt /root/keytab.NFSHOST-nfs
   wkt /etc/krb5.keytab
   quit

# chmod 600 /etc/krb5.keytab
# chown root:root /etc/krb5.keytab

Check if the SPN's are there: klist -kte /etc/krb5.keytab | grep nfs/nfshost.domain.com returns several of:

1 01/09/2023 07:59:33 nfs/nfshost.domain.com@DOMAIN.COM (aes256-cts-hmac-sha1-96) 
1 01/09/2023 07:59:33 nfs/nfshost.domain.com@DOMAIN.COM (aes128-cts-hmac-sha1-96)

Restart some services

exportfs -rav
/etc/init.d/nfs-kernel-server restart
/etc/init.d/nfs-common restart
mount --bind /home/users /exports/users

Clocks between AD and the NFS server are in sync. Hosts in the same VLAN, no firewall between both and no firewall inside anyone. To the tests: Try to mount a share (still in the NFS server) mount -t nfs4 nfshost.domain.com:/users /mnt -o sec=krb5 -v returns:

mount.nfs4: timeout set for Fri Sep  1 08:03:22 2023
mount.nfs4: trying text-based options 'sec=krb5,vers=4,addr=172.17.0.10,clientaddr=172.17.0.10'
mount.nfs4: mount(2): Permission denied
mount.nfs4: access denied by server while mounting nfshost.domain.com:/users

Try to kinit the nfs principal: kinit -k -t /etc/krb5.keytab nfs/nfshost.domain.com@DOMAIN.COM returns:

kinit: Client 'nfs/nfshost.domain.com@DOMAIN.COM' not found in Kerberos database while getting initial credentials

/var/log/syslog file have several of:

Sep  1 08:03:25 nfshost rpc.gssd: ERROR: No credentials found for connection to server nfshost.domain.com

What I'm missing to correctly configure this NFS service?