diff --git a/paris-container.nix b/paris-container.nix
index d8c8e15..5d50300 100644
--- a/paris-container.nix
+++ b/paris-container.nix
@@ -35,6 +35,18 @@ in {
       default = [ ];
     };
 
+    kerberos = mkOption {
+      type = nullOr (submodule {
+        options = {
+          keytab = mkOption {
+            type = str;
+            description = "Location of Paris keytab.";
+          };
+        };
+      });
+      default = null;
+    };
+
     ldap = {
       image = mkOption {
         type = str;
@@ -266,11 +278,7 @@ in {
 
               pam = { reconnection_retries = 3; };
 
-              nss = {
-                filter_groups = "root";
-                filter_users = "root";
-                reconnection_retries = 3;
-              };
+              nss.reconnection_retries = 3;
 
               "domain/${cfg.ldap.domain}" = {
                 cache_credentials = true;