Jailed NAS: NFS and Kerberos

Dear FreeBSD Community!

I'm planning to setup a NAS (for my family, a mix of Windows, Linux and Mac OS Clients) in a jail on my FreeBSD machine (which should replace my actual Linux-based homeserver step by step). So I prepared a jail with it's own IP, set up samba and joined our Active Directory - almost without problems.

So far so good. Next step: NFS

As I read in forums and mailing-list archives, it's not possible to run an NFS-server inside a jail. There would be net/unfs3, but I would like to run NFSv4. So I thought about serving NFS from the host on the IP of the nas-jail. The thing I'm not sure about with this workaround is how to setup kerberos properly, resp. if it is even possible to setup kerberos for such a setup.

| Host                  |
|           |
|                       |
| NFS @     |
|                       |
|| NAS                 ||
||         ||
||                     ||
|| SAMBA @ ||

Can anybody tell if/how this could work? Where do I setup the kerberos nfs principals - on the host, the jail, both?

Or would it be better to do a whole different setup?

Thanks in advance
Would you mind sharing what the intended purpose of the jail is? Typically a NAS is a dedicated machine. The host system manages all the storage-based stuff, including shares. Certain individual, potentially vulnerable services (namely those that broadcast to the Internet) might benefit from running within jails, but even the most basic NFS and Samba configurations shouldn't give anyone access to any of the inner workings of the host system, you're already using AD, and you plan to use Kerberos for the NFS shares. So it seems odd to run this whole thing in a jail. It's one more thing to configure and manage, and (as you've already learned) makes the more basic things harder to configure.
Thanks for your comment.

I guess the first reason for doing this for me would be the learning experience. I have several services that I want to migrate from a Linux machine to FreeBSD. The NAS (Samba, NFS, SFTP) would be the first of them.
Since there are a webserver and a gitlab server left to migrate too, they might be a more sensible opportunity for that.