Kerberos#Domain_creation Where does logging.* = CONSOLE end up? As far as I can see, this completely breaks logging.
Kerberos#Create_client_principals "Finally, copy /etc/krb5.keytab from the server to the client: # scp kbserver.example.com:/etc/krb5.keytab /etc/krb5.keytab" DO NOT DO THIS. YOUR CLIENTS SHOULD NOT HAVE THE SERVER KEYS. Same thing in the NFS section.
In my opinion, configuring your firewall and DNS are not advanced topics, but very common ones used in most secure server configurations. If you feel strongly, feel free to explain your reasoning.
Is using `-o sec=krb5` or similar in the mount command ever required? I use `mount -t nfs4 -o vers=4.2 host:/path /path` for sec=krb5p exports.
Finally, I kind of want to remove those "certdepot" references, since they advise copying the server's entire keytab to all clients...