NFSv4 sharing with sec=krb5 - AD user id mapping mismatch

Hi, I have been pulling my hair out with this issue for a few days, hoping to get some advice. I will try to keep things as brief as possible.

I have a TrueNAS machine running 25.04.1. I have configured Active Directory by joining TrueNAS to my local AD DC. It has a functioning Kerberos Realm/Principal.

My goal is to access NFS shares hosted on TrueNAS from Linux clients that are joined to the domain using SSSD. For example, I have joined a Proxmox server to my domain using the realmd system, which works great. Now I have users on both my TrueNAS and Proxmox machines, both referencing a single source of truth for users. Theoretically, if I choose krb5 as the NFS share security option, and my client has a valid Kerberos ticket, I should be able to access my NFSv4 share using my user’s username+domain rather than UID/GID.

The issue I am facing arises when I want to provision access to users on the NFS clients. I can successfully mount the NFS share I have created in TrueNAS; however, users that should have permissions based on the NFSv4 ACLs in TrueNAS do not have access to the mounted directory.

My user, DOMAIN\user, as a member of DOMAIN\share admins, has full control of the path shared via NFS, see this in TrueNAS:

root@truenas[~]# su -c 'touch /mnt/slow/downloads/test.txt' user@domain
root@truenas[~]# ls -la /mnt/slow/downloads
total 3
drwxrwx--- 4 root         DOMAIN\share admins 5 Jun 16 22:26 .
drwxr-xr-x 4 root         root                4 Jun 16 22:16 ..
drwxrwx--- 4 root         DOMAIN\share admins 4 Jun 13 20:51 media
-rwxrwx--- 1 DOMAIN\user  DOMAIN\share admins 0 Jun 16 22:26 test.txt

Note that users and groups are presented in the “flat domain name” format of DOMAIN\user.

On my Proxmox server, I can mount the NFS share without a problem, but when I try to do the same action with my user:

root@pve1:~# mount 10.6.10.30:/mnt/slow/downloads /mnt/truenas-slow/downloads -v
mount.nfs: timeout set for Mon Jun 16 22:34:00 2025
mount.nfs: trying text-based options 'vers=4.2,addr=10.6.10.30,clientaddr=10.6.10.20'
root@pve1:~# nfsidmap -l
3 .id_resolver keys found:
  uid:root@domain.com
  gid:DOMAIN\share admins@domain.com
  gid:root@domain.com
root@pve1:~# su -c 'touch /mnt/truenas-slow/downloads/test2.txt' user@domain
touch: cannot touch '/mnt/truenas-slow/downloads/test2.txt': Permission denied

Permission is denied! And even more importantly, check the content of the nfsidmap keyring cache. It has weirdly formatted the group id as DOMAIN\share admins@domain.com, with a domain reference on either side.

I can get around this issue by doing the following:
Selecting “Use Default Domain” in TrueNAS in my AD configuration:


This removes the DOMAIN\ prefix from users and groups.

And also adding the following line to my sssd.conf file on the client:
use_fully_qualified_names = False
This removes the @domain.com suffix from users and groups.

Now, on my NFS client I have the appropriate permissions (after unmounting, clearing nfsidmap cache and remounting):

root@pve1:~# mount 10.6.10.30:/mnt/slow/downloads /mnt/truenas-slow/downloads -v
mount.nfs: timeout set for Mon Jun 16 22:55:10 2025
mount.nfs: trying text-based options 'vers=4.2,addr=10.6.10.30,clientaddr=10.6.10.20'
root@pve1:~# nfsidmap -l
3 .id_resolver keys found:
  uid:root@domain.com
  gid:share admins@domain.com
  gid:root@domain.com
root@pve1:~# su -c 'touch /mnt/truenas-slow/downloads/test2.txt' user@domain
root@pve1:~# su -c 'ls -l /mnt/truenas-slow/downloads/test2.txt' user@domain
-rwxrwx--- 1 user share admins 0 Jun 16 22:53 /mnt/truenas-slow/downloads/test2.txt

Note the correctly formatted share admins@domain.com without the HOME\prefix.

I don’t think this kind of workaround should be necessary. In fact, I believe this should be configurable on the TrueNAS side to allow customising the format that AD users and groups use. This is because running the nfsidmap -d command on both TrueNAS and my client returns the same domain.com value. I also tried adjusting the sssd.conf file on my client by adding full_name_format = %3$s\%1$s (giving DOMAIN\user format to users and groups on client), however the @domain.com suffix was still present in the nfsidmap cache which again caused an id mismatch.

Sorry for the extremely long post, hopefully I’ve explained the problem clearly. Is there something I should be doing in TrueNAS to allow AD users on clients to access NFSv4 shares with sec=krb5 that I have missed, without relying on the default domain feature?