/etc/shadow + pam.d configs -- Do they hate each other?
Quick RHEL 5.3 Question. If I am root and I am trying to find which users on my system are locked out I know that I should be able to just look in /etc/shadow to figure this out. There should be a single "!" denoted in front of an encrypted password for the accounts that are locked.
I know that I also can do a passwd -S username command and it will tell me if an account is locked. The PS field changes to LK if a user account is locked.
Ok so my question is in conjunction with what I said previously and with pam.d and all those fun modules like pam_tally and pam_sshd that are already configured and are working for me at least to some degree. So I have set my /pam.d/system-auth-ac config such that a user only has a certain number of login attempts before their account is locked. No problem there. That is working.
So my question is first if a user is locked out from their account due to the pam.d configs why are they given the oppurtunity to keep on attempting to login? Second, the user cannot login (even with the correct password without being unlocked by an admin) so why is there no indication in my /etc/shadow file denoting that they are locked out???
I may just not understand this all that well, but I think I have a pretty decent grasp here. Could someone throw some of their linux wisdom at me???
Thanks for any and all of your time trying to educate me!