[SSSD-users] Kerberos + AD: session encryption

Hello. I've configured domain membership for one linux server, and now I'm trying to understand one thing. I can't figure out how SASL-GSSAPI encrypts LDAP requests and GC interactions. As long as I understood Kerberos, it's a protocol solely for authentication, and SASL-GSSAPI gives it ability to encrypt all data transactions between authenticated hosts. But this encryption is not mandatory. I've done several queries via 'id' utility to generate traffic, and captured it. All I can see is LDAP traffic to 389/tcp and 3268/tcp, which is encrypted. I can decrypt it by loading host's keytab to Wireshark. We've disabled anonymous and insecure binds (without integrity checking or SSL/TLS encryption) in AD, and didn't adjust minssf/maxssf parameters on Linux. As long as I understood, AD does not require whole session encryption, neither does Linux. All authentication is done in SSSD (authconfig --enablesssd --enablesssdauth). To summarize: I want to understand, why SASL-GSSAPI encrypts whole connection and not just auth phase, so I could be sure that one day all connections wouldn't appear in plaintext on the network. If I had more experience in programming, I've could find the answer in source code (all hail to opensource) to fullfill my curiosity, but unfortunately I can't do that, so I'll appreciate any help/hints/links on the topic. Kind regards.