You don’t need LDAP or AD. Kerberos is a separate thing and nowhere near as insane as LDAP. Though it’s right that they are often combined (in AD for example). However, it’s also a purely authentication system, so no permission controls or anything except for kadmin, from what I can tell.
If I’m not forgetting anything, you need to do pretty much 3 things:
either set up some DNS entries for autodiscovery of your kdc, or install a config file on each host (you probably want the config file either way to set the default realm so you don’t have to type it when logging in, but DNS makes it optional)
set up user principals (you need this for samba too)
create a principal for the NFS service
(Apparently you also need host principals for each machine that wants to connect to NFS, but my macbook can log in and mount the NFS share without a host principal, so maybe not. Still looking into that because I do actually want that for non-home-network purposes.)
Kerberos is the simple password authentication if you use it by itself. Sure, it does stuff that isn’t needed in a small home network such as multi-realm support, and they could have probably either built another authentication system for NFS like Samba’s, or make something that could authenticate users via SSH, but there’s probably a reason for that not being added until now. I assume it at least partially has to do with system-wide mounts.
And Kerberos really isn’t that bad. I set it up in under a day and most of that was spent debugging mounting NFS not working (which was finally solved by a reboot of the NFS server, still not sure what that was about >_>).