This is the Samba 4 version of bug 6099 Microsoft Open Protocol Document MS-NRPC NetrServerAuthenticate3, section 3.5.4.3.2 NetrServerAuthenticate2, section 3.5.4.3.3 The NegotiateFlags field in the message output needs to be set to the intersection of what Samba supports and what the client supports, even when the call results in failure such as Access Denied. The current behavior appears to just echo back what was received, falsely advertising capabilities that Samba does not support.
should be fixed with commit 201a033c8f19f37117b6f779cbabcf9def3bf655