On a Samba 4 AD DC the LDAP server in all versions of Samba from
4.0.0 onwards incorrectly validates permissions to modify passwords
over LDAP allowing authenticated users to change any other users'
passwords, including administrative users and privileged service
accounts (eg Domain Controllers).

The LDAP server incorrectly validates certain LDAP password
modifications against the "Change Password" privilege, but then
performs a password reset operation.

Source: Samba – Security Announcement Archive