nfsv4 sec=krb5p and user impersonation

[Matt Garman]

I'm trying to understand the nuances of how user authentication works
with NFSv4 using the sec=krb5p (or presumably any "krb5" sec option).
In particular, I am concerned about user impersonation.

Here's a situation which hopefully better explains the scenario:

Say there are a bunch of NFSv4 sec=krb5p client Linux servers.  These
all mount a single share from an NFS server.  That share contains user
home directories.  All non-root user accounts authenticate via
Kerberos.  Root authentication is local (/etc/passwd, /etc/shadow).

Case 1: I login as root directly to one of the nfs client servers.  If
I "su -l" to a user, I still get "permission denied" when I try to see
his home directory.  (Unless, of course, I then run kinit and type in
that user's password.)

Case 2: I login first as a user, then "su -l" to root.  At this point,
I still get "permission denied" when trying to look at any user's home
directory.  But I can then "su -l <user>", where <user> is *anyone*,
and I can see their home directory (without knowing their password).

In short, the only difference between Case 1 and Case 2 is that Case 2
starts off as being logged in as a user, then does su to root; whereas
Case 1 starts off as root directly.

The only thing I can figure is that in Case 2 a Kerberos ticket is
created, since I'm logging in as the user.  Since in Case 1, I login
as root, the authentication is local to that machine, and no Kerberos
ticket is created.  But in Case 2, it appears that the original user
ticket somehow becomes "universal", in that, after su'ing to root, I
can then su to anyone and see his files.

All Kerberos implementations are MIT, native CentOS (RHEL) packages.
In my case, client systems are CentOS 5.7, using krb5 1.6.1-62.
Server is CentOS 6.4, using krb5 1.10.3-10.

Thanks!
Matt