On 25 Apr 2022, at 15:14, Alexander Bokovoy via FreeIPA-users <freeipa-users@lists.fedorahosted.org> wrote:
You need to instruct gssproxy to use a client keytab that contains
user's keys.
You have to use user's keys in that keytab because you need to make sure
UID of the user has the same mapping between what the client runs and
what NFS server uses. For users it is done more or less automatically.
For services it is not because Kerberos services in IPA do not have
POSIX identities.
https://github.com/gssapi/gssproxy/blob/main/docs/NFS.md#keytab-based-client-initiation
describes a general solution.