Description of problem:
MS advisory announced an update due in a couple of months, requiring ldap-signing and channel-binding by default, this will break samba client when configured with "ldap ssl ads = yes" since samba use sasl authentication (kerberos, not simple auth).
Note: currently to get "ldap ssl ads = yes" working against Windows DC you must also set "client ldap sasl wrapping = plain" as windows does not allow sasl-wrapping over TLS.
Steps to Reproduce:
1. configure "ldap ssl ads = yes" and "client ldap sasl wrapping = plain" and make sure net-ads-search command works against AD.
2. Enable the require signing GPO and set registry LdapEnforceChannelBinding=2 per ADV190023.
3. run net-ads command, see that it fails.
$ net ads -U"administrator@ACME.COM%Secret123" -d3 search cn=admin
Successfully contacted LDAP server 192.168.0.120
Connected to LDAP server adc.ACME.COM
StartTLS issued: using a TLS connection
ads_sasl_spnego_bind: got OID=18.104.22.168.4.1.322.214.171.124
ads_sasl_spnego_bind: got OID=1.2.840.48018.1.2.2
ads_sasl_spnego_bind: got OID=1.2.840.1135126.96.36.199
ads_sasl_spnego_bind: got OID=1.2.840.1135188.8.131.52.3
ads_sasl_spnego_bind: got OID=184.108.40.206.4.1.3220.127.116.11
kinit succeeded but ads_sasl_spnego_gensec_bind(KRB5) failed for ldap/adc.acme.com with user[administrator] realm[ACME.COM]: Invalid credentials
ads_sasl_spnego_gensec_bind(KRB5) failed for ldap/adc.acme.com with user[administrator] realm=[ACME.COM]: Invalid credentials
return code = -1
Note, to get "ldap ssl ads = yes" working you'd also need to install the CA certificate or set "TLS_REQCERT allow" in ldap.conf for testing.