Fundamental constraints:

• NFS requires domain credentials (consistent mapping between all potential clients and server)
• systemd requires machine-local credentials to own system services (refuses to use domain accounts)

Desirable characteristics:

• No additional network dependencies (running kerberized NFS already requires connectivity to kdc, and potentially connectivity to ldap)
• solution addresses security concerns here: https://www.redhat.com/archives/freeipa-users/2013-February/msg00268.html

Potential solutions:

• Duplicate system and local users, manually synchronizing uid/gid (note: sssd will fail to provide results to getpwuid() queries due to duplicates).
• modify systemd to permit domain users to run system services provided network authentication is online.
• modify sssd with "strong caching": where certain domain accounts are virtually local and permit offline/disconnected operation.
• ???

Related to:

• https://fedorahosted.org/freeipa/ticket/2801
• https://fedorahosted.org/freeipa/ticket/4082
• https://fedorahosted.org/freeipa/ticket/3430

FreeIPA project no longer actively maintains an upstream guide (see details). However, as this documentation would fit for the FreeIPA.org wiki site, I am just updating it's component.