ldapi connections apparently can’t be encrypted. This prevents unicodePwd from being modified over such connections.
This bug was referenced in samba master: 1a6dbcfb1054a2f140a50a039e4f054c43cfb77d 7df4bdd0fe722da63862d46f809f7ac0498ebe59 ec6579829f9781d113428b8b3c603edd3e6c222d c2378d0c6f3e2f6b10902dc40b4a28c1dc788042 c63cabf1e09bb2d1416483767d1ca835abe017da ff8e98daf1c3fd99d4d880ddc2d47eeb0d99718c
Needs backporting to 4.19 and 4.20.
Created attachment 18289 [details] patch for Samba 4.19
Created attachment 18290 [details] patch for Samba 4.20