Not clear why this happens but if we use the forked lsasd daemon the MS-LSAT testsuite from Microsoft fails to run against samba/freeipa The symptom according to the logs I reviewed in the labs were that for each new LSA request smbd would try to open a new pipe to the lsasd daemon instead of resuing the existing pipe where the RPC BIND was previously performing, causing the new request to run unauthenticated (and then failing with ACCESS DENIED of course). An additional issue seem to be that we force context_id to 1 in source3, we don't do that in source4 dcerpc code and the MS testsuite had issues with that. Also tracked here: https://fedorahosted.org/freeipa/ticket/3135