diff --git a/sys/kgssapi/gss_delete_sec_context.c.vnet b/sys/kgssapi/gss_delete_sec_context.c
--- a/sys/kgssapi/gss_delete_sec_context.c.vnet
+++ b/sys/kgssapi/gss_delete_sec_context.c
@@ -31,6 +31,7 @@
 __FBSDID("$FreeBSD$");
 
 #include <sys/param.h>
+#include <sys/jail.h>
 #include <sys/kernel.h>
 #include <sys/kobj.h>
 #include <sys/lock.h>
@@ -54,8 +55,12 @@
 
 	*minor_status = 0;
 
-	if (!kgss_gssd_handle)
+	KGSS_CURVNET_SET_QUIET(KGSS_TD_TO_VNET(curthread));
+	if (!KGSS_VNET(kgss_gssd_handle)) {
+		KGSS_CURVNET_RESTORE();
 		return (GSS_S_FAILURE);
+	}
+	KGSS_CURVNET_RESTORE();
 
 	if (*context_handle) {
 		ctx = *context_handle;
diff --git a/sys/kgssapi/gss_impl.c.vnet b/sys/kgssapi/gss_impl.c
--- a/sys/kgssapi/gss_impl.c.vnet
+++ b/sys/kgssapi/gss_impl.c
@@ -31,6 +31,7 @@
 __FBSDID("$FreeBSD$");
 
 #include <sys/param.h>
+#include <sys/jail.h>
 #include <sys/kernel.h>
 #include <sys/kobj.h>
 #include <sys/lock.h>
@@ -38,6 +39,7 @@
 #include <sys/module.h>
 #include <sys/mutex.h>
 #include <sys/priv.h>
+#include <sys/proc.h>
 #include <sys/syscall.h>
 #include <sys/sysent.h>
 #include <sys/sysproto.h>
@@ -62,9 +64,10 @@
 };
 
 struct kgss_mech_list kgss_mechs;
-CLIENT *kgss_gssd_handle;
 struct mtx kgss_gssd_lock;
 
+KGSS_VNET_DEFINE(CLIENT *, kgss_gssd_handle) = NULL;
+
 static int
 kgss_load(void)
 {
@@ -124,10 +127,12 @@
 	} else
 		cl = NULL;
 
+	KGSS_CURVNET_SET_QUIET(KGSS_TD_TO_VNET(curthread));
 	mtx_lock(&kgss_gssd_lock);
-	oldcl = kgss_gssd_handle;
-	kgss_gssd_handle = cl;
+	oldcl = KGSS_VNET(kgss_gssd_handle);
+	KGSS_VNET(kgss_gssd_handle) = cl;
 	mtx_unlock(&kgss_gssd_lock);
+	KGSS_CURVNET_RESTORE();
 
 	if (oldcl != NULL) {
 		CLNT_CLOSE(oldcl);
@@ -239,12 +244,16 @@
 	enum clnt_stat stat;
 	OM_uint32 maj_stat;
 
-	if (!kgss_gssd_handle)
+	KGSS_CURVNET_SET_QUIET(KGSS_TD_TO_VNET(curthread));
+	if (!KGSS_VNET(kgss_gssd_handle)) {
+		KGSS_CURVNET_RESTORE();
 		return (GSS_S_FAILURE);
+	}
 
 	args.ctx = ctx->handle;
 	bzero(&res, sizeof(res));
-	stat = gssd_export_sec_context_1(&args, &res, kgss_gssd_handle);
+	stat = gssd_export_sec_context_1(&args, &res, KGSS_VNET(kgss_gssd_handle));
+	KGSS_CURVNET_RESTORE();
 	if (stat != RPC_SUCCESS) {
 		return (GSS_S_FAILURE);
 	}
@@ -278,11 +287,13 @@
 {
 	CLIENT *cl;
 
+	KGSS_CURVNET_SET_QUIET(KGSS_TD_TO_VNET(curthread));
 	mtx_lock(&kgss_gssd_lock);
-	cl = kgss_gssd_handle;
+	cl = KGSS_VNET(kgss_gssd_handle);
 	if (cl != NULL)
 		CLNT_ACQUIRE(cl);
 	mtx_unlock(&kgss_gssd_lock);
+	KGSS_CURVNET_RESTORE();
 	return (cl);
 }
 
diff --git a/sys/kgssapi/gss_release_cred.c.vnet b/sys/kgssapi/gss_release_cred.c
--- a/sys/kgssapi/gss_release_cred.c.vnet
+++ b/sys/kgssapi/gss_release_cred.c
@@ -31,6 +31,7 @@
 __FBSDID("$FreeBSD$");
 
 #include <sys/param.h>
+#include <sys/jail.h>
 #include <sys/kernel.h>
 #include <sys/kobj.h>
 #include <sys/lock.h>
@@ -52,8 +53,12 @@
 
 	*minor_status = 0;
 
-	if (!kgss_gssd_handle)
+	KGSS_CURVNET_SET_QUIET(KGSS_TD_TO_VNET(curthread));
+	if (!KGSS_VNET(kgss_gssd_handle)) {
+		KGSS_CURVNET_RESTORE();
 		return (GSS_S_FAILURE);
+	}
+	KGSS_CURVNET_RESTORE();
 
 	if (*cred_handle) {
 		args.cred = (*cred_handle)->handle;
diff --git a/sys/kgssapi/gss_release_name.c.vnet b/sys/kgssapi/gss_release_name.c
--- a/sys/kgssapi/gss_release_name.c.vnet
+++ b/sys/kgssapi/gss_release_name.c
@@ -31,6 +31,7 @@
 __FBSDID("$FreeBSD$");
 
 #include <sys/param.h>
+#include <sys/jail.h>
 #include <sys/kernel.h>
 #include <sys/kobj.h>
 #include <sys/lock.h>
@@ -53,8 +54,12 @@
 
 	*minor_status = 0;
 
-	if (!kgss_gssd_handle)
+	KGSS_CURVNET_SET_QUIET(KGSS_TD_TO_VNET(curthread));
+	if (!KGSS_VNET(kgss_gssd_handle)) {
+		KGSS_CURVNET_RESTORE();
 		return (GSS_S_FAILURE);
+	}
+	KGSS_CURVNET_RESTORE();
 
 	if (*input_name) {
 		name = *input_name;
diff --git a/sys/kgssapi/gssapi_impl.h.vnet b/sys/kgssapi/gssapi_impl.h
--- a/sys/kgssapi/gssapi_impl.h.vnet
+++ b/sys/kgssapi/gssapi_impl.h
@@ -54,9 +54,38 @@
 };
 LIST_HEAD(kgss_mech_list, kgss_mech);
 
-extern CLIENT *kgss_gssd_handle;
+/* Macros for VNET_NFSD. */
+#ifdef VNET_NFSD
+#if !defined(VIMAGE)
+options VNET_NFSD also requires options VIMAGE
+#endif
+/* Just define the VNET_KGSSxxx() macros as VNETxxx() macros. */
+#define	KGSS_VNET_DEFINE(t, n)		VNET_DEFINE(t, n)
+#define	KGSS_VNET_DEFINE_STATIC(t, n)	VNET_DEFINE_STATIC(t, n)
+#define	KGSS_VNET_DECLARE(t, n)		VNET_DECLARE(t, n)
+#define	KGSS_VNET(n)			VNET(n)
+
+#define	KGSS_CURVNET_SET(n)		CURVNET_SET(n)
+#define	KGSS_CURVNET_SET_QUIET(n)	CURVNET_SET_QUIET(n)
+#define	KGSS_CURVNET_RESTORE()		CURVNET_RESTORE()
+#define	KGSS_TD_TO_VNET(n)		TD_TO_VNET(n)
+#else	/* !VNET_NFSD */
+/* Define the KGSS_VNET macros similar to !VIMAGE. */
+#define	KGSS_VNET_DEFINE(t, n)		t n
+#define	KGSS_VNET_DEFINE_STATIC(t, n)	static t n
+#define	KGSS_VNET_DECLARE(t, n)		extern t n
+#define	KGSS_VNET(n)			(n)
+
+#define	KGSS_CURVNET_SET(n)
+#define	KGSS_CURVNET_SET_QUIET(n)
+#define	KGSS_CURVNET_RESTORE()
+#define	KGSS_TD_TO_VNET(n)		NULL
+#endif	/* VNET_NFSD */
+
 extern struct mtx kgss_gssd_lock;
 extern struct kgss_mech_list kgss_mechs;
+
+KGSS_VNET_DECLARE(CLIENT *, kgss_gssd_handle);
 
 CLIENT *kgss_gssd_client(void);
 int kgss_oid_equal(const gss_OID oid1, const gss_OID oid2);