It wasn't clear to me what security benefit you're describing here. What
*specifically* do you think this improves security wise?
Example:
Say you have NFS server 'polaris' and NFS client 'deneb'. You want
to mount polaris share on deneb using krb5 security. For this you
need nfs/ principals in /etc/krb5.keytab on both machines.
On deneb you need a UPN principal in form of nfs/.... for the
rpc.gssd daemon because it is not treated as a service principal, in
reality it is used to get a TGT so hence it must be UPN
On polaris1 you also need a nfs/ principal, but it is sufficient to
be a SPN. Polaris1 machine is Server providing a Service so hence
SPN is fine here to make rpc.svcgssd happy.
And how does it affect security? Easily - if you declare nfs/ UPN
principal for deneb and nfs/ SPN principal for polaris, you making
sure that only polaris can be used as a NFS server and deneb as a
NFS client and not vice-versa.