samba winbind + waffle: bringing SSO to humans

dB. dblock at
Wed Oct 27 06:08:28 MDT 2010

I am glad to hear that the Samba team is interested, now the big question is whether anyone on the Samba team is going to write some code ;)

It would be nice if someone motivated and qualified could take a stab at implementing a waffle IWindowsAuthProvider (Java code that uses JNA for native access) and exposing the buffer-level functions in Samba's SSPI-level libraries.

dB. @ 
Moscow|Geneva|Seattle|New York

-----Original Message-----
From: Andrew Bartlett [mailto:abartlet at] 
Sent: Friday, October 15, 2010 11:22 PM
To: dB.
Cc: samba-technical at
Subject: Re: samba winbind + waffle: bringing SSO to humans

On Sat, 2010-10-09 at 14:03 -0400, dB. wrote: 
> Hi,
> Apologies if this is not the right list.
> There're a lot of people out there struggling with implementing SSO for their non-IIS web servers or non-Windows platforms as well as IIS. By that I don't just mean logon, but the entire AD infrastructure that gives you users' identity and their group memberships, including local groups, nested groups and support for Active Directory trusts. There're separate solutions for NTLMv2, Kerberos, etc., and Samba does a pretty good authentication job with mod_auth_ntlm_winbind, but the entry price to this game is too high and the feature set is not complete (where're my groups?).
> We've created the Waffle project ( that aims to do everything windows authentication, on Windows. We've got a nice interface for C# developers. We got a nice interface for Java developers and committed a lot of code into JNA to interface with SSPI. We got a set of filters for Tomcat, generic servlet servers and spring-security for humans. Those humans drop in Waffle in their Tomcat/Jetty/WebSphere web servers and get SSO, but only on Windows.
> If anyone implemented a Waffle IWindowsAuthProvider on top of Samba, that would make us a cross-platform solution for SSO. I am not quite qualified to do this, but maybe someone who knows Samba internals will finds this project interesting?
> I'd appreciate any opinions and 0.02c.

This very much fits in line with many of the things the team has been trying to do for many years - indeed, ntlm_auth was originally built as a great way to solve this for Squid.  Then we had a great interaction between the two involved projects, and produced what is still the recommended solution.

mod_ntlm_winbind is one of the examples where we hoped to provide a good solution here, but have had less success - partly because it has been a more 'one sided' affair (something that the Samba team has published, and maintained itself)

That's why I'm so glad to hear your interest in this area. 

At the moment, on production versions of Samba, the best route is to wrap ntlm_auth, and to specify the '--required-membership-of' parameter.

However, this isn't ideal in a generic library, and I think we should expose the groups in some kind of extra command, as well and provide a generic pipe-based connection to the abstract concept of 'use these blobs to authenticate' in the same way we do over ntlm_auth.  (We were wanting to do this for Samba's internal use anyway)

Andrew Bartlett

Andrew Bartlett                      
Authentication Developer, Samba Team 
Samba Developer, Cisco Inc.

More information about the samba-technical mailing list