samba - Jan 2014 - Access denied using IP when joined in MS domain with RODC

The problem I have is a little strange and is due to the configuration of our
Active Directory.  The following symptoms occur with the following setup.  I
will provide more details on the setup later.

Microsoft Windows 2012 DC domain controller (ad1.local)
Microsoft Windows 2012 RODC read only domain controller (public.ad1.local)
Ubuntu 12.04 with Samba 3.6.3 (mizb-nas01)

The ubuntu/Samba server has been joined into the domain.
The DC is firewalled off from all computers except the RODC
The ubuntu/samba server is configured to use the RODC.  The samba server is
prevented from accessing the DC.
The Ubuntu/Samba server is only a member of the domain.

When a client accesses the ubuntu/samba server with the netbios/fqdn I have no
problems.  AD security and file access works.  I have problems accessing the
ubuntu/samba server with the ip address or with a DNS A record pointing to the
same IP address.

What I am expecting to accomplish is the ability to setup a DNS A record that
will be used to access the Ubuntu/Samba server.
>From a Windows computer (Windows 2012 Server) when I execute the following
command with the IP of the Samba server I get the following error.
> net view \\10.0.40.10
System error 5 has occurred.
Access is denied.
>From the same Windows computer when I execute the following command using
the Samba server's netbios name or fully qualified name the command does not
fail and I get what I am expecting to see.
>net view \\mizb-nas01
Shared resources at \\mizb-nas01
mizb-nas01 server (Samba, Ubuntu)
Share name  Type  Used as  Comment
-------------------------------------------------------------------------------
ad1.files        Disk
The command completed successfully.
>From the same Windows computer when I browse in File Explorer to the Samba
server using the server's IP address I get the following error.
"\\10.0.40.10 is not accessible.  You might not have permission to use this
network resource.  Contact the administrator of this server to find out if you
have access permissions.
The security database on the server does not have a computer account for this
workstation trust relationship."
>From the same Windows computer when I browse in File Explorer to the Samba
server using the netbios name or fully qualified name I am able to see and
access the shares.
Now, if I open the firewall and let the ubuntu/Samba server access the DC the
previous commands will work using ip, netbios, or dns A record.  It is only when
the DC firewall rules are put into place that i cannot access the ubuntu/samba
server via IP or dns A record.

Some diagnostics.  If I execute wbinfo -u or -g I am able to obtain a list of
the domain users and groups with or without access to the DC.

More information on the setup.

The ports from the Ubuntu/Samba to the RODC open
TCP: 53  88, 135, 389, 445, 749, 3268, 5722, 49152-65535
UDP: 53, 123, 389


==========================================================================Configuration

--------------------------------------
/etc/krb5.conf
--------------------------------------
[logging]
        default = FILE:/var/log/krb5libs.log
        kdc = FILE:/var/log/krb5kdc.log
        admin_server = FILE:/var/log/kadmind.log
[libdefaults]
        default_realm = AD1.LOCAL
[realms]
        AD1.LOCAL = {
                default_domain = ad1.local
#----- RODC ---------
                kdc = public.ad1.local:88
                admin_server = public.ad1.local:749
#----- RWDC ---------
#rwdc           kdc = ad1.local:88
#rwdc           admin_server = ad1.local:749
        }
[domain_realm]
        ad1.local = AD1.LOCAL


--------------------------------------
/etc/samba/smb.conf
--------------------------------------

[global]
        log file = /var/log/samba/log.%m
        load printers = no
        encrypt passwords = yes
        realm = AD1.LOCAL
        passdb backend = tdbsam
        netbios name = mizb-nas01
        cups options = raw
        workgroup = AD1
        os level = 0
        security = ads
        max log size = 1000
        winbind enum users = yes
        winbind enum groups = yes
        client ldap sasl wrapping = sign
        server string = %h server (Samba, Ubuntu)
        idmap config * : backend = tdb
        idmap config * : range = 1000000-1999999
        log level = 2
        syslog = 0
        panic action = /usr/share/samba/panic-action %d
        wins support = no
        domain master = no
        preferred master = no
#---- RODC ----
        wins server = public.ad1.local
        password server = public.ad1.local
#---- RWDC ----
#rwdc   wins server = ad1.local
#rwdc   password server = ad1.local
        map to guest = bad user
#============= SHARES ===========================================[ad1.files]
        valid users = @"AD1\domain users"
        writeable = yes
        create mode = 777
        path = /data/cifs/ad1.local/files/
        directory mode = 777

--------------------------------------
/etc/nsswitch.conf
--------------------------------------
passwd:         compat winbind
group:          compat winbind
shadow:         compat
hosts:          files dns
networks:       files
protocols:      db files
services:       db files
ethers:         db files
rpc:            db files
netgroup:       nis

------------------------------------------------------------------------------


The follwing are log entries of interest.
log level = 2

/var/log/samba/
---------------------------------------
log.winbindd
---------------------------------------
[2014/01/10 19:39:40,  0] winbindd/winbindd.c:1336(main)
  winbindd version 3.6.3 started.

[2014/01/10 19:39:44.608433,  1]
winbindd/winbindd_util.c:294(trustdom_list_done)
  Could not receive trustdoms

---------------------------------------
log.nmbd
---------------------------------------
[2014/01/10 19:39:53,  0] nmbd/nmbd.c:860(main)
  nmbd version 3.6.3 started.

[2014/01/10 19:40:08,  2] nmbd/nmbd_elections.c:202(run_elections)
  run_elections: >>> Won election for workgroup AD1 on subnet
10.0.40.10 <<<
[2014/01/10 19:40:08,  2]
nmbd/nmbd_become_lmb.c:538(become_local_master_browser)
  become_local_master_browser: Starting to become a master browser for workgroup
AD1 on subnet 10.0.40.10
[2014/01/10 19:40:14,  2]
nmbd/nmbd_nameregister.c:193(wins_registration_timeout)
  wins_registration_timeout: WINS server 10.0.189.10 timed out registering IP
10.0.40.10
[2014/01/10 19:40:14,  2]
nmbd/nmbd_nameregister.c:193(wins_registration_timeout)
  wins_registration_timeout: WINS server 10.0.89.10 timed out registering IP
10.0.40.10
[2014/01/10 19:40:14,  2]
nmbd/nmbd_nameregister.c:193(wins_registration_timeout)
  wins_registration_timeout: WINS server 10.0.189.10 timed out registering IP
10.0.40.10
[2014/01/10 19:40:14,  2]
nmbd/nmbd_nameregister.c:193(wins_registration_timeout)
  wins_registration_timeout: WINS server 10.0.89.10 timed out registering IP
10.0.40.10
[2014/01/10 19:40:14,  2]
nmbd/nmbd_nameregister.c:193(wins_registration_timeout)
  wins_registration_timeout: WINS server 10.0.189.10 timed out registering IP
10.0.40.10
[2014/01/10 19:40:16,  0] nmbd/nmbd_become_lmb.c:397(become_local_master_stage2)
  *****

  Samba name server MIZB-NAS01 is now a local master browser for workgroup AD1
on subnet 10.0.40.10

  *****
[2014/01/10 19:40:37,  0]
nmbd/nmbd_browsesync.c:351(find_domain_master_name_query_fail)
  find_domain_master_name_query_fail:
  Unable to find the Domain Master Browser name AD1<1b> for the workgroup
AD1.
  Unable to sync browse lists in this workgroup.

---------------------------------------
log.wb-AD1
---------------------------------------
[2014/01/10 19:39:44.570318,  2]
libsmb/cliconnect.c:1433(cli_session_setup_kerberos_send)
  Doing kerberos session setup
[2014/01/10 19:42:04.024728,  2]
winbindd/winbindd_pam.c:1885(winbindd_dual_pam_auth_crap)
  NTLM CRAP authentication for user [AD1]\[mark.ward] returned
NT_STATUS_NO_TRUST_SAM_ACCOUNT (PAM: 4)
[2014/01/10 19:42:05.084260,  2]
winbindd/winbindd_pam.c:1885(winbindd_dual_pam_auth_crap)
  NTLM CRAP authentication for user [AD1]\[mark.ward] returned
NT_STATUS_NO_TRUST_SAM_ACCOUNT (PAM: 4)
[2014/01/10 19:42:05.909198,  2]
winbindd/winbindd_pam.c:1885(winbindd_dual_pam_auth_crap)
  NTLM CRAP authentication for user [AD1]\[mark.ward] returned
NT_STATUS_NO_TRUST_SAM_ACCOUNT (PAM: 4)

---------------------------------------
log.mizb-rdpgateway
---------------------------------------
[2014/01/10 19:42:04.025091,  2] auth/auth.c:319(check_ntlm_password)
  check_ntlm_password:  Authentication for user [mark.ward] -> [mark.ward]
FAILED with error NT_STATUS_NO_TRUST_SAM_ACCOUNT
[2014/01/10 19:42:05.084552,  2] auth/auth.c:319(check_ntlm_password)
  check_ntlm_password:  Authentication for user [mark.ward] -> [mark.ward]
FAILED with error NT_STATUS_NO_TRUST_SAM_ACCOUNT

---------------------------------------
log.winbindd-dc-connect
---------------------------------------
*contains 0 bytes*

I may have my evidence wrong and here is a correction on what I am seeing today.
When pointing to the RODC even with the RWDC access open the access on IP and
DNS A record fails.  If I setup the samba config to use the RWDC access via IP
and DNS A record work.

More evidence collected.  If I have my DNS, krb5.conf both referencing the RODC.
Then for smb.conf if "wins server" references the RODC and
"password server" references the RWDC (DC) it works.  I can access the
samba server via its static IP.  When all configuration references the RODC I
cannot access via the IP only by the samba's netbios name.

-Mark