net ad join uses the LDAP_SERVER_PERMISSIVE_MODIFY_OID (1.2.840.113522.214.171.1243) control without checking if the server implements it (information is exposed in rootDSE in the SupportedControls attribute).
Samba4 still does not implement this control so when samba 3.4.5 tries to modify the machine ldap entry and uses this control (marking it as critical) the server returns an error and the join fails.
I am not sure we should fix this in samba 3.x, I am looking on how much work we need to add this control to s4.
I pushed a patch in s4 that implements the control and with that the samba join works. Not sure if we want to consider this bug fixed or if we want to still check the control is available before using it. That would be the right(TM) thing to do, but I know it would be a lot of work to make the work around if the control is not available, so I'll gladly accept opinions.
Marking this as an enhancement. I doubt that there will be AD implementations that don't support the full set of controls.