Description of problem: MS advisory announced an update due in a couple of months, requiring ldap-signing and channel-binding by default, this will break samba client when configured with "ldap ssl ads = yes" since samba use sasl authentication (kerberos, not simple auth). Note: currently to get "ldap ssl ads = yes" working against Windows DC you must also set "client ldap sasl wrapping = plain" as windows does not allow sasl-wrapping over TLS. How reproducible: Always Steps to Reproduce: 1. configure "ldap ssl ads = yes" and "client ldap sasl wrapping = plain" and make sure net-ads-search command works against AD. 2. Enable the require signing GPO and set registry LdapEnforceChannelBinding=2 per ADV190023. 3. run net-ads command, see that it fails. $ net ads -U"administrator%Secret123" -d3 search cn=admin Successfully contacted LDAP server 192.168.0.120 Connected to LDAP server adc.ACME.COM StartTLS issued: using a TLS connection ads_sasl_spnego_bind: got OID=1.3.6.1.4.1.311.2.2.30 ads_sasl_spnego_bind: got OID=1.2.840.48018.1.2.2 ads_sasl_spnego_bind: got OID=1.2.840.113554.1.2.2 ads_sasl_spnego_bind: got OID=1.2.840.113554.1.2.2.3 ads_sasl_spnego_bind: got OID=1.3.6.1.4.1.311.2.2.10 kinit succeeded but ads_sasl_spnego_gensec_bind(KRB5) failed for ldap/adc.acme.com with user[administrator] realm[ACME.COM]: Invalid credentials ads_sasl_spnego_gensec_bind(KRB5) failed for ldap/adc.acme.com with user[administrator] realm=[ACME.COM]: Invalid credentials return code = -1
Note, to get "ldap ssl ads = yes" working you'd also need to install the CA certificate or set "TLS_REQCERT allow" in ldap.conf for testing.
The "ldap ssl ads" option has been removed upstream, so this work is irrelevant for samba, closing.