NFSv4 and Kerberos for home/lab environments

Evan123 · June 24, 2025, 10:22am

I wanted to use NFSv4 at home between TrueNAS and my Mac using Kerberos authentication. I documented my build here:

github.com/evan314159/truenas-home-kerberos

README.md

main

# truenas-home-kerberos
How I Setup Kerberos for a Home TrueNAS Environment

Problem Statement
=================
I wanted to use NFSv4 at home between TrueNAS and my Mac.

NFSv4 authentication is designed for enterprise environments.  The NFSv4 "simple / low infrastructure" system authentication mode (sec=sys) requires user ID numbers (uids) to match between TrueNAS and clients. It was designed for centrally-managed IT environments from decades ago. It is hard for an end user to implement themselves across multiple different platforms (TrueNAS, Mac, Linux each have different uid schemes).  It was also designed for a security model from decades ago -- any client can report they are any user ID number.

NFSv4 also supports Kerberos authentication (sec=krb5). Kerberos is a centralised authentication system that provides single sign-on for many protocols, including NFSv4 and SMB. It's how Windows devices seamlessly authenticate to SMB shares and other services in enterprise Windows environments. With Kerberos, NFSv4 does not require user IDs to match between TrueNAS and clients, making NFSv4 both easy to setup and secure.  Perfect!

TrueNAS doesn't come with a local Kerberos server or one in Apps.  Enterprises use Active Directory or FreeIPA for Kerberos, but they are complex for a small environment.  I wanted something simple for just a few users and computers.

Approach
========
* Deploy Kerberos in a container running on TrueNAS
* Integrate TrueNAS and clients with Kerberos
* Setup NFSv4 to use Kerberos authentication
* Enable Kerberos for SMB, as an extra bonus

This file has been truncated. show original

This may be of interest if you:

Also want to use NFSv4 in a small non-production environment.
Are worried, or appalled, by the thought of using sec=sys.
Tried sec=sys and found synchronising UIDs across your environment is very difficult.
Don’t have an Active Directory or FreeIPA.
Want a small and simple Kerberos server to run in a TrueNAS container that works with the kinds of infrastructure you might already have – like your own local DNS, or TailScale.

I hope this will inspire others to use secure NFSv4 authentication, where they otherwise would not have the infrastructure to support.

I hope this will also inspire TrueNAS to include a local Kerberos server in the base install to handle local authentication for NFSv4 and SMB – like Microsoft is doing on Windows so that NTLMv2 can be deprecated. Samba and MIT Kerberos support for Windows-compatible local Kerberos (IAKERB) is coming soon and I hope will be quickly integrated into TrueNAS and clients.

I tried to make the guide very detailed but it still expects a reasonable level of UNIX and TrueNAS understanding.

All of the configuration can be done in the GUI, except a bonus step that also enables Kerberos for SMB using everything that is already in place for NFSv4. I think it is an oversight that TrueNAS does not do this for you when the TrueNAS is Kerberos-integrated, and that this could and should be done automatically by TrueNAS.