Bug 14259 - Option "plain" for "client ldap sasl wrapping" in smb.conf being ignored
Summary: Option "plain" for "client ldap sasl wrapping" in smb.conf being ignored
Status: NEW
Alias: None
Product: Samba 4.1 and newer
Classification: Unclassified
Component: AD: LDB/DSDB/SAMDB (show other bugs)
Version: 4.11.4
Hardware: All All
: P5 normal (vote)
Target Milestone: ---
Assignee: Andrew Bartlett
QA Contact: Samba QA Contact
Depends on:
Reported: 2020-01-31 17:29 UTC by mzeis1409
Modified: 2020-01-31 17:29 UTC (History)
0 users

See Also:


Note You need to log in before you can comment on or make changes to this bug.
Description mzeis1409 2020-01-31 17:29:46 UTC
When specifying "client ldap sasl wrapping = plain" in smb.conf the option "plain" appears to get ignored.

Looking at the source code in ads_init() in source3/libads/ads_struct.c the problem appears to be a change made to use the "sasl_state" parameter as a flag which is or'd in to the "wrap_flags'.

Since "plain" is defined as enum "0" it gets overridden by the sasl_state parameter and is ignored.

Below is a patch that fixes it:

ADS_STRUCT *ads_init(const char *realm,
             const char *workgroup,
             const char *ldap_server,
             enum ads_sasl_state_e sasl_state)


    wrap_flags = lp_client_ldap_sasl_wrapping();
    if (wrap_flags == -1) {
        wrap_flags = 0;

    // PATCH
    // lp_client_ldap_sasl_wrapping returns '0' for 'plain'
    if (!wrap_flags) {
        sasl_state = ADS_SASL_PLAIN;
    // PATCH END

    switch (sasl_state) {
    case ADS_SASL_PLAIN:
    case ADS_SASL_SIGN:
        wrap_flags |= ADS_AUTH_SASL_SIGN;
    case ADS_SASL_SEAL:
        wrap_flags |= ADS_AUTH_SASL_SEAL;

    ads->auth.flags = wrap_flags;