Add fallback to SIMPLE bind when NTLM fails (e.g. userWorkstations restriction)

[Dramelac]

Original PR on fortra/impacket: fortra#1971

While working in an Active Directory environment, I encountered an issue where Impacket tools like rbcd.py failed to perform an LDAP bind, even though the credentials were valid.

The tool was returning:

After investigation, I found that the failure was caused by the userWorkstations LDAP attribute being set for the user. This attribute restricts which machines the user can log on from. Since NTLM authentication includes the client's hostname, the Domain Controller applied this restriction and rejected the bind.

Example of a user with userWorkstations: dc02 set:

As a workaround, I modified the _init_ldap_connection() function to:

• Attempt a NTLM bind first.
• If it fails, print the LDAP error code (e.g. data 531) and fallback to a SIMPLE bind.

This allowed the bind to succeed, as shown here:

Summary of changes:

• Added a fallback to ldap3.SIMPLE if NTLM fails
• Added debug output for NTLM bind failures (LDAP error code + human-readable explanation)

⚠️ Note: SIMPLE bind sends credentials in plain text unless LDAPS is used. Use with caution and only when appropriate. This change has also been applied to other LDAP-based tools in Impacket, including dacledit.py and owneredit.py, to improve reliability in similar environments.