[Help-needed] Modern guide for NFSv4 & Kerberos on 15.0

[iclis]

Hello dear community.

Pulling my hair off as I've spent so many hours researching, searching and trying to get it working... Feeling lost due to outdated write-ups & minimal debugging info available
Goal - setup NFSv4.2 shares, that user would mount by being authorized via MIT Kerberos (kdc) server on the network. (while all of this works in internal/homelab network, need to have security in place (so no v3 or v2 possible)

Current progress:

auth.domain.tld (host) - working krb5 kdc server, that holds principals, issues tickets (I'm able to ssh into NFS server with users ticket). Kadmin accessible over network.

server.domain.tld (host) - nfs server based on FreeBSD 15.0 that I need help configuring:

So far I've narrowed down to needed services on the server:
/etc/rc.conf:

gssd_enable="YES" # a must have to - kernel GSS-API daemon
nfs_server_enable="YES" # main service to start NFS - nothing works without it
nfsv4_server_only="YES" # disable nfs vers2, vers3 support
nfsv4_server_enable="YES"
nfsuserd_enable="YES" # a must have to map users I assume

/etc/sysctl.conf
sysctl vfs.nfsd.enable_stringtouid=1

I've learned that nfs server launches rpc and mountd daemons itself hence nothing else should be needed.

/etc/krb5.keytab:
Holds keys for

nfs/server.domain.tld@DOMAIN.TLD
host/server.domain.tld@DOMAIN.TLD
host/client.domain.tld@DOMAIN.TLD

/etc/exports:

V4: /srv/media -sec=krb5p:krb5i:krb5
/srv/media/videos -sec=krb5p:krb5i:krb5 -network 0.0.0.0/0

client.domain.tld (host) - nfs client based on Kubuntu 25.10
with sudo apt install krb5-user nfs-common
and running

$ sudo systemctl status rpcbind rpc-svcgssd

● rpcbind.service - RPC bind portmap service
     Loaded: loaded (/usr/lib/systemd/system/rpcbind.service; enabled; preset: enabled)
     Active: active (running)
    
○ rpc-svcgssd.service - RPC security service for NFS server
     Loaded: loaded (/usr/lib/systemd/system/rpc-svcgssd.service; static)
     Active: inactive (dead)
       Docs: man:rpc.svcgssd(8)

and /etc/idmapd.conf contents:

[General]
Verbosity = 0
Domain = domain.tld

Debugging I've managed to do:

gssd on is observed to get host/client.domain.tld@ principal connecting/mapping
mount -vvvv on tells that

$ sudo mount -vvvv -t nfs4 -o sec=krb5p server.domain.tld:/videos /mnt/test
mount.nfs4: trying text-based options 'sec=krb5p,vers=4.2,addr=10.0.0.50,clientaddr=10.9.9.2'
mount.nfs4: mount(2): Permission denied
mount.nfs4: trying text-based options 'sec=krb5p,vers=4,minorversion=1,addr=10.0.0.50,clientaddr=10.9.9.2'
mount.nfs4: mount(2): Permission denied
mount.nfs4: trying text-based options 'sec=krb5p,vers=4,addr=10.0.0.50,clientaddr=10.9.9.2'
mount.nfs4: mount(2): Permission denied
mount.nfs4: access denied by server while mounting server.domain.tld:/videos

journalctl -f on : kernel: RPC: server server.domain.tld requires stronger authentication.

klist on client lists both user@DOMAIN.TLD and host/server.domain.tld@DOMAIN.TLD tickets.
on server there are no other useful info in /var/log/messages or /var/log/daemon.log even with increased vfs.nfsd.debuglevel sysctl.

I've tried to % doas mount -vvvv -t nfs -o nfsv4,sec=krb5p server.domain.tld:/videos /mnt/test/

on another FreeBSD 15.0 box but it errored me with:

mount_nfs: nmount: /mnt/test, wrong security flavor
zroot/ROOT/default on / (zfs, local, noatime, nfsv4acls, fsid a1aa62bfde5be00c, vnodes: count 1031 )

% doas mount -vvvv -t nfs -o nfsv4,sec=krb5p,gssname=host server.domain.tld:/videos /mnt/test/
came with error:

mount_nfs: nmount: /mnt/test: Permission denied

I feel like something is missing here... Dealing with user mapping, permissions or reading/writting files seems as a next step, after I get FS to mount...
If you have experience with this - ping me please.