samba winbind + waffle: bringing SSO to humans

Andrew Bartlett abartlet at
Fri Oct 15 21:21:46 MDT 2010

On Sat, 2010-10-09 at 14:03 -0400, dB. wrote: 
> Hi,
> Apologies if this is not the right list.
> There're a lot of people out there struggling with implementing SSO for their non-IIS web servers or non-Windows platforms as well as IIS. By that I don't just mean logon, but the entire AD infrastructure that gives you users' identity and their group memberships, including local groups, nested groups and support for Active Directory trusts. There're separate solutions for NTLMv2, Kerberos, etc., and Samba does a pretty good authentication job with mod_auth_ntlm_winbind, but the entry price to this game is too high and the feature set is not complete (where're my groups?).
> We've created the Waffle project ( that aims to do everything windows authentication, on Windows. We've got a nice interface for C# developers. We got a nice interface for Java developers and committed a lot of code into JNA to interface with SSPI. We got a set of filters for Tomcat, generic servlet servers and spring-security for humans. Those humans drop in Waffle in their Tomcat/Jetty/WebSphere web servers and get SSO, but only on Windows.
> If anyone implemented a Waffle IWindowsAuthProvider on top of Samba, that would make us a cross-platform solution for SSO. I am not quite qualified to do this, but maybe someone who knows Samba internals will finds this project interesting?
> I'd appreciate any opinions and 0.02c.

This very much fits in line with many of the things the team has been
trying to do for many years - indeed, ntlm_auth was originally built as
a great way to solve this for Squid.  Then we had a great interaction
between the two involved projects, and produced what is still the
recommended solution.

mod_ntlm_winbind is one of the examples where we hoped to provide a good
solution here, but have had less success - partly because it has been a
more 'one sided' affair (something that the Samba team has published,
and maintained itself)

That's why I'm so glad to hear your interest in this area. 

At the moment, on production versions of Samba, the best route is to
wrap ntlm_auth, and to specify the '--required-membership-of' parameter.

However, this isn't ideal in a generic library, and I think we should
expose the groups in some kind of extra command, as well and provide a
generic pipe-based connection to the abstract concept of 'use these
blobs to authenticate' in the same way we do over ntlm_auth.  (We were
wanting to do this for Samba's internal use anyway)

Andrew Bartlett

Andrew Bartlett                      
Authentication Developer, Samba Team 
Samba Developer, Cisco Inc.

-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 190 bytes
Desc: This is a digitally signed message part
URL: <>

More information about the samba-technical mailing list