When specifying "client ldap sasl wrapping = plain" in smb.conf the option "plain" appears to get ignored. Looking at the source code in ads_init() in source3/libads/ads_struct.c the problem appears to be a change made to use the "sasl_state" parameter as a flag which is or'd in to the "wrap_flags'. Since "plain" is defined as enum "0" it gets overridden by the sasl_state parameter and is ignored. Below is a patch that fixes it: ADS_STRUCT *ads_init(const char *realm, const char *workgroup, const char *ldap_server, enum ads_sasl_state_e sasl_state) { ... wrap_flags = lp_client_ldap_sasl_wrapping(); if (wrap_flags == -1) { wrap_flags = 0; } // PATCH // lp_client_ldap_sasl_wrapping returns '0' for 'plain' if (!wrap_flags) { sasl_state = ADS_SASL_PLAIN; } // PATCH END switch (sasl_state) { case ADS_SASL_PLAIN: break; case ADS_SASL_SIGN: wrap_flags |= ADS_AUTH_SASL_SIGN; break; case ADS_SASL_SEAL: wrap_flags |= ADS_AUTH_SASL_SEAL; break; } ads->auth.flags = wrap_flags;