This is the Samba 4 version of bug 6099
Microsoft Open Protocol Document MS-NRPC
NetrServerAuthenticate3, section 18.104.22.168.2
NetrServerAuthenticate2, section 22.214.171.124.3
The NegotiateFlags field in the message output needs to be set to
the intersection of what Samba supports and what the client supports,
even when the call results in failure such as Access Denied.
The current behavior appears to just echo back what was received,
falsely advertising capabilities that Samba does not support.
should be fixed with commit 201a033c8f19f37117b6f779cbabcf9def3bf655