The defines whether ldap traffic will be signed or signed and encrypted (sealed). Possible values are plain, sign and seal. The values sign and seal are only available if Samba has been compiled against a modern OpenLDAP version (2.3.x or higher). This option is needed firstly to secure the privacy of administrative connections from samba-tool, including in particular new or reset passwords for users. For this reason the default is seal. Additionally, winbindd and the net tool can use LDAP to communicate with Domain Controllers, so this option also controls the level of privacy for those connections. All supported AD DC versions will enforce the usage of at least signed LDAP connections by default, so a value of at least sign is required in practice. The default value is seal. That implies synchronizing the time with the KDC in the case of using Kerberos. seal