Hi,
Yes and it is no wonder because UPN and SPN serve a different task. I recommend searching MS technet for this. They have a nice explanation for this.
In simple terms it's service for a receiver and user for initiator. Unfortunately this can sometimes get a little blury. NFSv4 is a good example of that.
Exactly :-) . In NFSv4 the rpc.gssd expect the UPN and rpc.svcgssd SPN - and none is going to tell you this as none expect you will use Windows based KDC for NFSv4... :-( . In Linux based KDC there is no strict distinction for these I believe (citation needed here).
MIT KDC provides related functionality but as the documentation suggests it is probably something most people do not want to use.
5.3.3 Adding or Modifying Principals
{-|+}allow_svr The “-allow_svr” flag prohibits the issuance of service tickets for this principal. “+allow_svr” clears this flag. In effect, “-allow_svr” sets the KRB5_KDB_DISALLOW_SVR flag on the principal in the database. {-|+}allow_tgs_req The “-allow_tgs_req” option specifies that a Ticket-Granting Service (TGS) request for a service ticket for this principal is not permitted. You will probably never need to use this option. “+allow_tgs_req” clears this flag. The default is “+allow_tgs_req”. In effect, “-allow_tgs_req” sets the KRB5_KDB_DISALLOW_TGT_BASED flag on the principal in the database.
http://web.mit.edu/kerberos/krb5-1.9/krb5-1.9.2/doc/krb5-admin.html
Cheers,