It wasn't clear to me what security benefit you're describing
here. What
*specifically* do you think this improves security wise?
Example:
Say you have NFS server 'polaris' and NFS client 'deneb'. You want to
mount polaris share on deneb using krb5 security. For this you need
nfs/ principals in /etc/krb5.keytab on both machines.
On deneb you need a UPN principal in form of nfs/.... for the rpc.gssd daemon because it
is not treated as a service principal, in reality
it is used to get a TGT so hence it must be UPN
On polaris1 you also need a nfs/ principal, but it is sufficient to be a SPN. Polaris1
machine is Server providing a Service so hence SPN is
fine here to make rpc.svcgssd happy.
And how does it affect security? Easily - if you declare nfs/ UPN principal for deneb and
nfs/ SPN principal for polaris, you making sure
that only polaris can be used as a NFS server and deneb as a NFS client and not
vice-versa.