How to implement SPNEGO

[FraFau]

Not really an issue but a how to need.

This is my context :
Debian server as client, WS20XX (>2k3) as AD DC

my forest tree is like this :
parentdomain
--childdomain1.parentdomain
--childomain2.parentdomain
....

Each subdomain can have multiple UPN suffixes.

I tried to set spn on DC from each parent & subdomain (with the same username in each domain & subdomain).
I generated all keytabs from each one and concatenate it with ktutil.
I used this keytab in my nginx conf

The problem is I just can use only one realm in my conf. (Maybe I'm wrong, is there a way to use many ? (Maybe I should use only the parentdomain realm ?)

When I try the spnego auth from one subdomain (with its own realm) the auth seems to work properly (but it seems the $_SERVER['REMOTE_USER'] isn't correctly filled by nginx...)

But when I try another one with many differents UPN suffixes, SPNEGO don't recognize the other UPN suffixes than the original one.
Is there a way to get this working ?

Any help will be much appreciated ! Thank you. PS : You'll find in attachment krb5.conf & nginx site conf
GLPI.SUBDOMAIN_UPNSUFFIX.conf.txt
krb5.conf.txt

[eladent]

Hi FraFau,
I Just thought about this after you asked on my blog.
One way to mitigate your problem might be to use multiple nginx reverse proxy (one per domain) with different access URL on the same server each redirecting to the main service :

user@domain1 -> domain1.yourservice.tld (auth with keytab1) -> yourservice.tld (no auth, just header forward)
user@domain2 -> domain2.yourservice.tld (auth with keytab2) -> yourservice.tld (no auth, just header forward)

...
Depending on your DNS infrastructure you might even be able to use the same domain alias on every sudomain.
It could be a pain to maintain depending on number of domains you have, but it should work.
You could also dig into domain approbation and work with only the root domain (but it might become a security issu).
Regards