3 files changed, 7 insertions, 5 deletions

diff --git a/docs-xml/smbdotconf/ldap/clientldapsaslwrapping.xml b/docs-xml/smbdotconf/ldap/clientldapsaslwrapping.xml
index 076b05ca164..e0ce700079b 100644
--- a/docs-xml/smbdotconf/ldap/clientldapsaslwrapping.xml
+++ b/docs-xml/smbdotconf/ldap/clientldapsaslwrapping.xml
@@ -34,11 +34,9 @@
 	</para>
 
 	<para>
-	The default value is <emphasis>plain</emphasis> which is not irritable 
-	to KRB5 clock skew errors. That implies synchronizing the time
-	with the KDC in the case of using <emphasis>sign</emphasis> or 
-	<emphasis>seal</emphasis>.
+	The default value is <emphasis>sign</emphasis>. That implies synchronizing the time
+	with the KDC in the case of using <emphasis>Kerberos</emphasis>.
 	</para>
 </description>
-<value type="default">plain</value>
+<value type="default">sign</value>
 </samba:parameter>
diff --git a/lib/param/loadparm.c b/lib/param/loadparm.c
index 7b86a1eeb6d..9953053569a 100644
--- a/lib/param/loadparm.c
+++ b/lib/param/loadparm.c
@@ -2665,6 +2665,8 @@ struct loadparm_context *loadparm_init(TALLOC_CTX *mem_ctx)
 
 	lpcfg_do_global_parameter(lp_ctx, "ldap debug threshold", "10");
 
+	lpcfg_do_global_parameter(lp_ctx, "client ldap sasl wrapping", "sign");
+
 	lpcfg_do_global_parameter(lp_ctx, "follow symlinks", "yes");
 
 	lpcfg_do_global_parameter(lp_ctx, "machine password timeout", "604800");
diff --git a/source3/param/loadparm.c b/source3/param/loadparm.c
index 94d3b8de574..5ab0de71104 100644
--- a/source3/param/loadparm.c
+++ b/source3/param/loadparm.c
@@ -739,6 +739,8 @@ static void init_globals(struct loadparm_context *lp_ctx, bool reinit_globals)
 	Globals.ldap_debug_level = 0;
 	Globals.ldap_debug_threshold = 10;
 
+	Globals.client_ldap_sasl_wrapping = ADS_AUTH_SASL_SIGN;
+
 	/* This is what we tell the afs client. in reality we set the token 
 	 * to never expire, though, when this runs out the afs client will 
 	 * forget the token. Set to 0 to get NEVERDATE.*/