The comment in nfs_get_root() basically describes the patch:

    Some authentication types (gss/krb5, most notably)
    are such that root won't be able to present a
    credential for GETATTR (ie, getroot()).

An easy way (ie, without this patch) to have unattended mounts is to
have a root/host@REALM (or similar) principal stashed in a keytab, which
root (rather, gssd) can use.  However, this might not be desirable for
many sites.  In any case, RFC2623 specifically describes the problem
addressed here.

Notes:

- Root inode gets inum of 1.  This doesn't seem to matter, but may be
  aesthetically unpleasing.  I wanted to choose an inum unlikely to
  conflict with an existing inum (although NFS has specific support
  for that).  It looks like more work than it's worth to change the
  inum after the info is available.  AFAICT it's not critical info.

- Solaris has this "wierd" (but understandable)  behavior that after
  mounting without a credential, the mount point is not visible at all
  until an access is attempted with a credential.  This now-you-see-it-
  now-you-don't behavior doesn't seem worthwhile to reproduce here.

- Unfortunately, MOUNT_VERSION must go to 5.  Some kernels with ver 4
  do not understand pseudoflavor.  Keeping it at 4 means that the
  userland mount can't know for sure whether the kernel accepted the
  option or not.  (Unless I'm missing some hack that could be done.)

It works in my environment, against a netapp server (with the rpcsec_gss
patch I provided earlier).