Win7 clients failing with cached credentials on samba4 RODC

It's a long shot but I'd try: it seems to me some incompatibility between win7 and samba-based RODC in terms of security level settings. I'd also assume some default security setting on win 7 is too restrictive that samba doesn't support. I will try to relax security settings on win 7 by change local policy: Computer Configuration->Windows Settings->Security Settings->Local Policies->Security Options.

Usual suspects include but not limited to:

Microsoft network client: Digitally sign communications (if server agrees) Microsoft network client: Send unencrypted password to third-party SMB servers Network security: LAN Manager authentication level Network security: LDAP client signing requirements Network security: Minimum session security for NTLM SSP based (including secure RPC) clients Require message confidentiality Require NTLMv2 session security Require 128-bit encryption