The Samba-Bugzilla – Bug 10740
The unicodePwd LDAP encryption restrictions are not applied
Last modified: 2016-07-29 07:57:17 UTC
Pretty much what the Summary says, on a Samba 4 AD DC, you can obtain and read the 'unicodePwd' attribute, you cannot do this with a windows AD DC.
Also, and this may stem from the same reason, you can set/reset the users password without using SSL, with a windows server, you MUST use SSL.
The two issues raised here are totally unrelated.
Yes, we only prevent access over LDAP, and just as the password hash values can be recovered locally on a Windows server, so they can on Samba with direct TDB access.
However, as the 'net rpc samdump' command demonstrates, password hash values can be obtained remotely with the administrator password.