Pretty much what the Summary says, on a Samba 4 AD DC, you can obtain and read the 'unicodePwd' attribute, you cannot do this with a windows AD DC. Also, and this may stem from the same reason, you can set/reset the users password without using SSL, with a windows server, you MUST use SSL.
The two issues raised here are totally unrelated. Yes, we only prevent access over LDAP, and just as the password hash values can be recovered locally on a Windows server, so they can on Samba with direct TDB access. However, as the 'net rpc samdump' command demonstrates, password hash values can be obtained remotely with the administrator password.
What's the state here? Do we really have a bug?
(In reply to Stefan Metzmacher from comment #2) Seemingly not any more, you used to be able to obtain a users password with ldap, but this is no longer possible.