userPassword is allowed in AD in two modes:
- a normal, PUBLIC attribute
- a gateway to the AD password
dsheuristics controls that, with the value 000000001 meaning that userPassword is a gateway to the AD password.
For writes, Samba behaves correctly all the time.
For reads, Samba always behaves as if dsheuristics was not set, or was set to 0.
To be clear, at no time is the AD password or anything related to it exposed by this.