gssproxy: apache httpd as nfs-client? centos7

When Apache httpd attempts to access a user directory automounted with sec=krb5p, and presumably other sec=krb options, gssproxy issues a failure message and the web server replies with 403 Forbidden. The debug option on gssproxy has not been sufficiently illuminating.

To rule out none RPCGSS issues, the 403 is not issued when a valid KRB5CC owned by uidNumber 48 (apache) is present in /tmp, and the web server will display the appropriate page. However, this is due to the behavior of rpc.gssd. gssproxy still issues the same failure message.

gssproxy: gp_rpc_execute: executing 6 (GSSX_ACQUIRE_CRED) for service "nfs-client", euid: 0, socket: (null)
gssproxy: gssproxy[639]: (OID: { 1 2 840 113554 1 2 2 }) Unspecified GSS failure.  Minor code may provide more information, No credentials cache found

# cat /etc/gssproxy/gssproxy.conf 
[gssproxy]

[service/HTTP]
  mechs = krb5
  cred_store = keytab:/etc/gssproxy/http.keytab
  cred_store = ccache:/var/lib/gssproxy/clients/krb5cc_%U
  euid = 48

[service/nfs-server]
  mechs = krb5
  socket = /run/gssproxy.sock
  cred_store = keytab:/etc/krb5.keytab
  trusted = yes
  kernel_nfsd = yes
  euid = 0

[service/nfs-client]
  mechs = krb5
  cred_store = keytab:/etc/krb5.keytab
  cred_store = ccache:FILE:/var/lib/gssproxy/clients/krb5cc_%U
  cred_store = client_keytab:/var/lib/gssproxy/clients/%U.keytab
  cred_usage = initiate
  allow_any_uid = yes
  trusted = yes
  euid = 0

# klist -ke /var/lib/gssproxy/clients/$(id -u apache).keytab
Keytab name: FILE:/var/lib/gssproxy/clients/48.keytab
KVNO Principal
---- --------------------------------------------------------------------------
   2 apache/[email protected] (aes256-cts-hmac-sha1-96) 
   2 apache/[email protected] (aes128-cts-hmac-sha1-96) 
   2 apache/[email protected] (camellia256-cts-cmac) 
   2 apache/[email protected] (camellia128-cts-cmac)

# cat /etc/systemd/system/gssproxy.service.d/override.conf 
[Service]
ExecStart=
ExecStart=/usr/sbin/gssproxy -D --debug