Restrict anonymous checks for the SAMR pipe. This is done by

returning access denied for a SAMR_CONNECT by an anonymous user which
seems to be the way 2K does it rather than blocking individual RPC
calls like NT.

Also checked is the SAMR_GET_DOM_PWINFO rpc which for some reason
doesn't require a policy handle to return information.  No idea what
it's actually used.
(This used to be commit 40c68fa85c31c1baf7ba2c8ed62cd06c34711913)

source3/rpc_server/srv_samr_nt.c

@@ -2026,6 +2026,14 @@ NTSTATUS _samr_connect_anon(pipes_struct *p, SAMR_Q_CONNECT_ANON *q_u, SAMR_R_CO
 {
 	struct samr_info *info = NULL;
 
+    /* Access check */
+
+    if (!pipe_access_check(p)) {
+	    DEBUG(3, ("access denied to samr_connect_anon\n"));
+	    r_u->status = NT_STATUS_ACCESS_DENIED;
+	    return r_u->status;
+    }
+
     /* set up the SAMR connect_anon response */
 
     r_u->status = NT_STATUS_OK;
@@ -2053,6 +2061,14 @@ NTSTATUS _samr_connect(pipes_struct *p, SAMR_Q_CONNECT *q_u, SAMR_R_CONNECT *r_u
 
     DEBUG(5,("_samr_connect: %d\n", __LINE__));
 
+    /* Access check */
+
+    if (!pipe_access_check(p)) {
+	    DEBUG(3, ("access denied to samr_connect\n"));
+	    r_u->status = NT_STATUS_ACCESS_DENIED;
+	    return r_u->status;
+    }
+
     r_u->status = NT_STATUS_OK;
 
     /* associate the user's SID with the new handle. */
@@ -3594,7 +3610,18 @@ NTSTATUS _samr_set_aliasinfo(pipes_struct *p, SAMR_Q_SET_ALIASINFO *q_u, SAMR_R_
 
 NTSTATUS _samr_get_dom_pwinfo(pipes_struct *p, SAMR_Q_GET_DOM_PWINFO *q_u, SAMR_R_GET_DOM_PWINFO *r_u)
 {
+	/* Perform access check.  Since this rpc does not require a
+	   policy handle it will not be caught by the access checks on
+	   SAMR_CONNECT or SAMR_CONNECT_ANON. */
+
+	if (!pipe_access_check(p)) {
+		DEBUG(3, ("access denied to samr_get_dom_pwinfo\n"));
+		r_u->status = NT_STATUS_ACCESS_DENIED;
+		return r_u->status;
+	}
+
 	/* Actually, returning zeros here works quite well :-). */
+
 	return NT_STATUS_OK;
 }