Windows part:
Step 0: Ignore this complicated bullshit here https://docs.microsoft.com/en-us/previous-versions/msp-n-p/ff649429(v=pandp.10) No reason of using SPN. It only adds some kind of proxy but no security. Go to Step 1.
Step 1: Install NFS server on Windows as described on the web, create share folder.
Step 1.1: Windows NFS server's log location is this: Event Manager, Services and Applications, Microsoft, ServicesForNFS-Server (no idea, why it's written like that)
Step 2: Use this configuration for network share
Step 3: From powershell execute this to enable mapping via AD:
Step 4: Probably restart is required.
FreeBSD part:
Step 0: FQDN?
Step 1: Install pam_krb5 (linked with MIT in my case)
Step 2: Install /etc/krb5.conf (pretty ordinary, lot's of examples in the Internet, but notice tkt_enctypes). Also in FreeBSD pam section is commented because it pam ignores it by some reason anyway.
Step 3: Check that you can get your ticket with kinit.
Step 4: Uncomment krb5 sections where you need it in /etc/pam.d/* to login. Note: that login via ssh and getting ccache file is broken on FreeBSD 11.2. Try other methods to verity that you get your ticket in the default /tmp/krb5* location.
Step 5: These services used for UNIX/AD user mapping. Enable and start them. The last one probably isn't required.
# kerberos gssd_enable="YES" nfsuserd_enable="YES" #nfscbd_enable="YES"
Step 6:
mount -o sec=krb5,minorversion=1,nfsv4 sun3.domain.local:/nfs_share_test1 /mnt/
Mounted file's permissions will be shown as 'nobody:nobody' cause FreeBSD can't resole Windows users and groups on it's side. Despite this mapping the real permission still be respected and access on UNIX box checked via Kerberos ticket.
Though Windows set ownership differently depending if the user is in Domain Administrator (or Administrators?) group. It was possible to change on old Windows (pre 2008?) but not now.
So this link is irrelevant.
