I recently noticed that spamassassin (running as the local “daemon”
account) will hang some of the time when processing messages, and tracked it to the process attempting to access
~user/.spamassassin/user_prefs.  I believe that should return an access failure, but sometimes the process stalls instead.

In any case, I’d like to allow access, but my understanding is that processes without a Kerberos ticket cannot access an NFS4 filesystem with sec=krb5.  Is that correct?  If so, how would I allow a local system account to access globally readable files? Should I create a keytab, and set KRB5_KTNAME in the spamassassin environment?

Does anyone working with NFS and krb5 have any tips?