I wanted to use NFSv4 at home between TrueNAS and my Mac using Kerberos authentication. I documented my build here:
This may be of interest if you:
Also want to use NFSv4 in a small non-production environment.
Are worried, or appalled, by the thought of using sec=sys.
Tried sec=sys and found synchronising UIDs across your environment is very difficult.
Don’t have an Active Directory or FreeIPA.
Want a small and simple Kerberos server to run in a TrueNAS container that works with the kinds of infrastructure you might already have – like your own local DNS, or TailScale.
I hope this will inspire others to use secure NFSv4 authentication, where they otherwise would not have the infrastructure to support.
I hope this will also inspire TrueNAS to include a local Kerberos server in the base install to handle local authentication for NFSv4 and SMB – like Microsoft is doing on Windows so that NTLMv2 can be deprecated. Samba and MIT Kerberos support for Windows-compatible local Kerberos (IAKERB) is coming soon and I hope will be quickly integrated into TrueNAS and clients.
I tried to make the guide very detailed but it still expects a reasonable level of UNIX and TrueNAS understanding.
All of the configuration can be done in the GUI, except a bonus step that also enables Kerberos for SMB using everything that is already in place for NFSv4. I think it is an oversight that TrueNAS does not do this for you when the TrueNAS is Kerberos-integrated, and that this could and should be done automatically by TrueNAS.