Does "client ldap sasl wrapping = sign" specify the min that is allowed or the max we can deal with?

Stefan (metze) Metzmacher metze at
Fri Jul 22 01:48:41 MDT 2011

Hi Richard,

> In looking at the parameter "ldap sasl wrapping" I see the following:
> "The client ldap sasl wrapping defines whether ldap traffic will be
> signed or signed and encrypted (sealed). Possible values are plain,
> sign and seal. "
> Is the value specified the minumum that Samba will use, or the max
> that it can use?
> That is, if I specify "seal" will Samba/Winbindd still work if the ADS
> servers use plain or seal?

It's up to the client to negotiate what it wants, so it's an absolute value.
We'll use what you configure. As far as I know all AD servers support seal.
Note: for ntlmssp we'll use seal if you specify sign, as windows servers
are broken.
With kerberos sign only works fine.

In 3.6.0 we have more magic, if we get LDAP_STRONG_AUTH_REQUIRED from
the server
we autoupgrade to sign (seal for ntlmssp).


-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 262 bytes
Desc: OpenPGP digital signature
URL: <>

More information about the samba-technical mailing list