Kerberos tickets for service accounts and NFSv4 id mapping

I have a Synology NAS that I’m trying to access over NFS from a couple of systems running archlinux (a laptop and a server). I’d like to get NFSv4 id mapping working so that I don’t have to align the user ids between all these systems, and also so that there’s some modicum of security. I’ve set up a Kerberos KDC on the arch server and configured the NAS and both the laptop and server NFS clients to perform id mapping using sec=krb5 for authentication. This seems to be working as intended for my own user account after much fiddling – I can run kinit to authenticate as myself and the files I own are mapped properly.

Now onto my question: I’d also like to do id mapping for an account that exists on my server only for running a service and can’t be logged into (specifically the plex account running plex media server). Is there a good way to get a kerberos ticket for accounts like this?

I considered getting a ticket from a keytab for the plex account, somewhat like what’s described here but I’m not sure that would work since the ticket would eventually expire. Ideally whatever I do for the plex user would be permanent. Is something like this possible? I’m quite new to Kerberos.. I know there’s a concept of “service principals” that might be applicable here but as I understand it that would need to be implemented as part of plex software, I couldn’t just associate it with the plex account and have it work.