I think you are correct: to me, a NAS is a box with disks, and only a resource to my virtual environment. No user will ever have direct access to it unless it is an IT admin with a specific configuration task. I sleep better that way 
I have been looking at the features that True/Free nas offer aside from being a NAS an have been wondering why someone would ever want to use a NAS for that, and not a virtual machine on it, if only for security reasons.
I just checked; I never even bothered to tie the AD into the NAS, or failed as well when setting up the certificates. There is a partial config there and it has TLS off. Crap … now I need to solve this to sleep again 
Edit: seems straight forward enough, but indeed requires valid certs, not self signed ones. To get AD running with proper certs, you could follow my example and add the FQDN for the samba container (nsdc-server.domain.tld) to the let’s encrypt cert for the Netserver host running the samba container. Then copy the letsencrypt cert to the container, replacing the self-signed one.
This works afaik and checked. Havent tried to add a True- of FreeNAS yet, will investigate monday … have some testing to do now 