Hello,
I have a poor man’s (samba) Active Directory at home and have my Linux (Fedora) and TrueNAS SCALE as members. SMB shares work great.
I have come across an app that makes some exotic I/O with mmap and does not work over SMB but requires NFS. So for the first time I tried to setup NFS, and I have gotten as far as to mount with option sec=sys, but I unfortunately sec=krb5 which would match my AD account, does not work:
root@mylaptop:~# mount -vvv -t nfs4 -o vers=4,sec=krb5 nas.ad.home.lan:/mnt/family-tank/mydata /mnt/mydata
mount.nfs4: timeout set for Tue Mar 10 21:36:37 2026
mount.nfs4: trying text-based options 'sec=krb5,vers=4.2,addr=192.168.9.250,clientaddr=192.168.9.198'
mount.nfs4: mount(2): Permission denied
mount.nfs4: trying text-based options 'sec=krb5,vers=4,minorversion=1,addr=192.168.9.250,clientaddr=192.168.9.198'
mount.nfs4: mount(2): Permission denied
mount.nfs4: trying text-based options 'sec=krb5,vers=4,addr=192.168.9.250,clientaddr=192.168.9.198'
mount.nfs4: mount(2): Permission denied
mount.nfs4: access denied by server while mounting nas.ad.home.lan:/mnt/family-tank/mydata
For the above test I have set the NFS share to have Security=KRB5 instead of SYS and the NFS service has “NFSv4 enabled” and “Require Kerberos for NFSv4” is checked.
If I use SYS and uncheck the require kerberos checkbox, I am able to mount with:
root@mylaptop:~# mount -vvv -t nfs4 -o vers=4,sec=sys nas.ad.home.lan:/mnt/family-tank/mydata /mnt/mydata
mount.nfs4: timeout set for Tue Mar 10 21:42:27 2026
mount.nfs4: trying text-based options 'sec=sys,vers=4.2,addr=192.168.9.250,clientaddr=192.168.9.198'
root@mylaptop:~# ls -al /mnt/mydata/
total 13
drwxr-xr-x. 2 100001104 100000514 3 Mar 10 20:04 .
drwxr-xr-x. 3 root root 24 Mar 10 11:37 ..
-rwxr-xr-x. 1 100001104 100000514 13 Mar 10 20:04 file.txt
root@mylaptop:~# cat /mnt/mydata/file.txt
data in file
So something is wrong with Kerberos? Things I have checked:
- The forward/reverse DNS works via the Samba DNS for both machines (NAS can lookup laptop by name and resolve its IP back to its name, and the same the other way around)
- Both machines have “nfs/machine.ad.home.lan@AD.HOME.LAN” in their
klist -koutput nfsidmap -doutputs AD.HOME.LAN which is my domain in both machines- I can login to both machines with my AD account and getent passwd/group works on both
The only weird thing is that on my laptop the ID values are different. In Fedora I used “realm join” and sssd uses these values:
root@mylaptop.ad.home.lan ~# getent group "domain users@ad.home.lan"
domain users@ad.home.lan:*:1400600513:myuser@ad.home.lan
root@mylaptop.ad.home.lan ~# getent passwd "myuser@ad.home.lan"
myuser@ad.home.lan:*:1400601103:1400600513:My Name:/home/myuser@ad.home.lan:/bin/zsh
However, when I run the same in TrueNAS it seems to use the DOMAIN\username syntax and (more importantly) has different ID values:
root@nas[/mnt/family-tank/mydata]# getent group 'domain users@ad.home.lan'
root@nas[/mnt/family-tank/mydata]# getent group 'HOME\domain users'
HOME\domain users:x:100000514:
root@nas[/mnt/family-tank/mydata]# getent passwd "myuser@ad.home.lan"
HOME\myuser:*:100001104:100000514:My Name:/var/empty:/bin/sh
So the values are different for some reason and I can only lookup the username with “myuser@ad.home.lan” but the group does not work as “domain users@ad.home.lan@.
I should note that this has never been an issue with SMB shares…
Could this be the problem? Is there a way to get Fedora to match the TrueNAS format for string identifiers? Is the problem something else?