Your answer helped me to get it working!!! Thanks a lot! The critical part to know in Active Directory is:
Allow user password change over LDAP
Front end applications can use LDAP as a back end authentication server. Some of these applications also allow authenticated users to change their passwords.
AD allows password changes by manipulating the unicodePwd attribute of an account. Web applications such as Nextcloud only support password changes through manipulation of the more LDAP common userPassword attribute. By default the latter is not allowed in AD. This can be overridden by modifying the dSHeuristics attribute. Specifically, the fUserPwdSupport heuristic must be set to true. To do this, run:
ldbedit -e nano -H /var/lib/samba/private/sam.ldb \
-b 'CN=Directory Service,CN=Windows NT,CN=Services,CN=Configuration,DC=ad,DC=example,DC=com' \
'(objectClass=ntDSService)'
Add the following line to the bottom and save:
dSHeuristics: 000000001
This will set the 9th heuristic of dSHeuristics, fUserPwdSupport, to true.
Password changes are only allowed over secure connections, which is why TLS support for LDAP connections was enabled earlier.
And here is the GUI version of the explanation:
https://ldapwiki.com/wiki/Enable%20UserPassword%20in%20Microsoft%20Active%20Directory
You just need to know that you need to set that hidden bit.
Cheers