On Ubuntu systems, root cannot su to a user unless that user is in the users.allow file.
On Ubuntu and Debain systems, root cannot su to a user unless that user is in the users.allow file, this is also the same for a user running "sudo su <user>"
This is expected behavior due to the default pam configuration.
If the version of su is pam enabled, even for root, then yes, it would fail.
In the PAM configuration auth has rootok, but for account/session it just hits the normal section which denies the user.
This is expected because that's how the OS is set up. su is asking pam if the user is allowed onto the system, and Authentication Services is correctly saying no.
Most OSes don't have root running su make those calls. But apparently Ubuntu by default does. You could possibly add similar rootok lines for account. Or make a su specific pam.d file that has direct pam_vas lines instead of including them from common-*, and put in no_access_check.