In the 'uid:gid:gid:...' case (for '-maproot' or '-mapall'), if no GID
is specified at all (i.e., input is of the form 'uid:', with the colon
at the end), mountd(8) would pass credentials with an empty array of
groups to the kernel.

For security reasons, we have put in place a kernel fallback a few
commits ago, which currently is the value of
NFSD_VNET(nfsrv_defaultgid). That value is by default GID_NOGROUP, and
may be set by nfsuserd(8) based on the content of '/etc/group' on the
host (or some other source, depending on 'nsswitch.conf'). As,
according to rmacklem@, lots of installations do not run nfsuserd(8), we
emulate its effect here by first trying to find the GID number
corresponding to "nogroup" and falling back to GID_NOGROUP.