I am trying to enable AD authentication for Debian stable servers to enable users to logon via ssh authenticating against Windows AD.It all works fine and I can ssh to the server using my Windows credentials but I have noticed this message on remote ssh logon when logging on as root:

Your account has been locked. Please contact your System administrator
Your account has been locked. Please contact your System administrator
Your account has been locked. Please contact your System administrator
Last login: Sat Jun 13 14:15:14 2009 from workstation1
server1:~#

I have checked if I can login via local console as root and oops, I cannot.Same error pops up.This could kick me painfully in the future.
At the same time I have tried the same setup for RedfHat and I don't have this problem.
I believe the problem is somewhere in my pam configuration but can't see where.googling for error does not get me anywhere either.

below are details for corresponding pam files on Debian and redhat

*common-account*

`account sufficient pam_winbind.so require_membership_of=S-1-5-21-602162358-1844823847-725345543-XXXXXX`

`account sufficient pam_winbind.so require_membership_of=S-1-5-21-602162358-1844823847-725345543-XXXXXX`

`account sufficient pam_winbind.so require_membership_of=S-1-5-21-602162358-1844823847-725345543-XXXXXX`

`account required pam_unix.so`

*common-auth*

`auth sufficient pam_winbind.so require_membership_of=S-1-5-21-602162358-1844823847-725345543-XXXXXX`

`auth sufficient pam_winbind.so require_membership_of=S-1-5-21-602162358-1844823847-725345543-XXXXXX`

`auth sufficient pam_winbind.so require_membership_of=S-1-5-21-602162358-1844823847-725345543-XXXXXX`

`auth required pam_unix.so nullok_secure`

*common-sesion*

`session required pam_mkhomedir.so skel=/etc/skel/ umask=0022`
`session sufficient pam_winbind.so require_membership_of=S-1-5-21-602162358-1844823847-725345543-XXXXXX `

`session sufficient pam_winbind.so require_membership_of=S-1-5-21-602162358-1844823847-725345543-XXXXXX`

`session sufficient pam_winbind.so require_membership_of=S-1-5-21-602162358-1844823847-725345543-XXXXX`

`session required pam_unix.so`


*RedHat system-auth file:*

`auth required pam_env.so`
`auth sufficient pam_unix.so nullok try_first_pass`
`auth sufficient pam_winbind.so use_first_pass`
`auth requisite pam_succeed_if.so uid >= 500 quiet`
`auth required pam_deny.so`

`account required pam_unix.so`
`account sufficient pam_succeed_if.so uid < 500 quiet`
`account sufficient pam_winbind.so use_first_pass`
`account required pam_permit.so`

`password requisite pam_cracklib.so try_first_pass retry=3`
`password sufficient pam_unix.so md5 shadow nullok try_first_pass use_authtok`
`password sufficient pam_winbind.so use_first_pass`
`password required pam_deny.so`

`session optional pam_keyinit.so revoke`
`session required pam_limits.so`
`session required pam_winbind.so use_first_pass`
`session [success=1 default=ignore] pam_succeed_if.so service in crond quiet use_uid`
`session required pam_unix.so`
`session optional pam_mkhomedir.so skel=etc/skel/ umask=0027`

This is the standard configuration on Debian. No ssh root logins. No console root logins.

this is what i would recomend:
use ubuntu server 9.04 because that allows root logins via ssh and console just do sudo passwd root then you can set his password and su away(note i am typing this on ubuntu 9.04 server cos i did sudo apt-get install kdm exce4 and got kdm and xfce)