Description of problem:

MS advisory announced an update due in a couple of months, requiring ldap-signing and channel-binding by default, this will break samba client when configured with "ldap ssl ads = yes" since samba use sasl authentication (kerberos, not simple auth).

Note: currently to get  "ldap ssl ads = yes" working against Windows DC you must also set "client ldap sasl wrapping = plain" as windows does not allow sasl-wrapping over TLS.

How reproducible:

Always

Steps to Reproduce:
1. configure "ldap ssl ads = yes" and "client ldap sasl wrapping = plain" and make sure net-ads-search command works against AD.
2. Enable the require signing GPO and set registry LdapEnforceChannelBinding=2 per ADV190023.
3. run net-ads command, see that it fails.

$ net ads -U"administrator@ACME.COM%Secret123" -d3 search cn=admin

Successfully contacted LDAP server 192.168.0.120
Connected to LDAP server adc.ACME.COM
StartTLS issued: using a TLS connection
ads_sasl_spnego_bind: got OID=1.3.6.1.4.1.311.2.2.30
ads_sasl_spnego_bind: got OID=1.2.840.48018.1.2.2
ads_sasl_spnego_bind: got OID=1.2.840.113554.1.2.2
ads_sasl_spnego_bind: got OID=1.2.840.113554.1.2.2.3
ads_sasl_spnego_bind: got OID=1.3.6.1.4.1.311.2.2.10
kinit succeeded but ads_sasl_spnego_gensec_bind(KRB5) failed for ldap/adc.acme.com with user[administrator] realm[ACME.COM]: Invalid credentials
ads_sasl_spnego_gensec_bind(KRB5) failed for ldap/adc.acme.com with user[administrator] realm=[ACME.COM]: Invalid credentials
return code = -1