samba winbind + waffle: bringing SSO to humans

dB. dblock at
Sat Oct 9 12:03:54 MDT 2010


Apologies if this is not the right list.

There're a lot of people out there struggling with implementing SSO for their non-IIS web servers or non-Windows platforms as well as IIS. By that I don't just mean logon, but the entire AD infrastructure that gives you users' identity and their group memberships, including local groups, nested groups and support for Active Directory trusts. There're separate solutions for NTLMv2, Kerberos, etc., and Samba does a pretty good authentication job with mod_auth_ntlm_winbind, but the entry price to this game is too high and the feature set is not complete (where're my groups?).

We've created the Waffle project ( that aims to do everything windows authentication, on Windows. We've got a nice interface for C# developers. We got a nice interface for Java developers and committed a lot of code into JNA to interface with SSPI. We got a set of filters for Tomcat, generic servlet servers and spring-security for humans. Those humans drop in Waffle in their Tomcat/Jetty/WebSphere web servers and get SSO, but only on Windows.

If anyone implemented a Waffle IWindowsAuthProvider on top of Samba, that would make us a cross-platform solution for SSO. I am not quite qualified to do this, but maybe someone who knows Samba internals will finds this project interesting?

I'd appreciate any opinions and 0.02c.


dB. @<>
Moscow|Geneva|Seattle|New York

More information about the samba-technical mailing list