Haven't used samba much; this is enlightening. Previously I had assumed it just used the same auth system (e.g. PAM) as the host. That would entail its own complications but would probably have prevented this bug.
It would not be possible to have an AD server using PAM, AD protocols need the NT hash.
Samba can only use PAM when plaintext passwords are used, which is not supported at all with AD (Samba as standalone requires you to store passwords in it's own database). As an Active Directory server, passwords are stored in the directory with access provided by multiple protocols. This was an issue in the LDAP ACL verification.
LDAP always has the userPassword attribute which is fully comptible with Linux, you just have to change both at the same times (this is in fact what i did for one of my clients)
