Usuário do console bloqueado - problemas de pam?

Estou tentando habilitar a autenticação AD para servidores Debian estáveis para permitir que os usuários efetuem logon via autenticação ssh no Windows AD. Tudo funciona bem e eu posso ssh para o servidor usando minhas credenciais do Windows, mas tenho notado esta mensagem no logon ssh remoto ao fazer logon como root:

Your account has been locked. Please contact your System administrator
Your account has been locked. Please contact your System administrator
Your account has been locked. Please contact your System administrator
Last login: Sat Jun 13 14:15:14 2009 from workstation1
server1:~#

Verifiquei se consigo fazer login via console local como root e oops, não consigo. O mesmo erro aparece. Isso poderia me chutar dolorosamente no futuro. Ao mesmo tempo, tentei a mesma configuração para o RedfHat e não tenho esse problema. Eu acredito que o problema está em algum lugar na minha configuração de pam, mas não consigo ver onde.googling por erro não me leva a lugar nenhum.

Abaixo estão os detalhes dos arquivos pam correspondentes no Debian e no redhat ...

Versão do Debian

conta comum

account sufficient      pam_winbind.so require_membership_of=S-1-5-21-602162358-1844823847-725345543-XXXXXX
account sufficient      pam_winbind.so require_membership_of=S-1-5-21-602162358-1844823847-725345543-XXXXXX
account sufficient      pam_winbind.so require_membership_of=S-1-5-21-602162358-1844823847-725345543-XXXXXX
account required    pam_unix.so

common-auth

auth    sufficient      pam_winbind.so require_membership_of=S-1-5-21-602162358-1844823847-725345543-XXXXXX
auth    sufficient      pam_winbind.so require_membership_of=S-1-5-21-602162358-1844823847-725345543-XXXXXX
auth    sufficient      pam_winbind.so require_membership_of=S-1-5-21-602162358-1844823847-725345543-XXXXXX
auth    required    pam_unix.so nullok_secure

sessão comum

session required        pam_mkhomedir.so skel=/etc/skel/ umask=0022
session sufficient      pam_winbind.so  require_membership_of=S-1-5-21-602162358-1844823847-725345543-XXXXXX 
session sufficient      pam_winbind.so require_membership_of=S-1-5-21-602162358-1844823847-725345543-XXXXXX
session sufficient      pam_winbind.so require_membership_of=S-1-5-21-602162358-1844823847-725345543-XXXXX
session required    pam_unix.so

Arquivo de autenticação do sistema RedHat:

auth        required      pam_env.so
auth        sufficient    pam_unix.so nullok try_first_pass
auth        sufficient    pam_winbind.so use_first_pass
auth        requisite     pam_succeed_if.so uid >= 500 quiet
auth        required      pam_deny.so

account     required      pam_unix.so
account     sufficient    pam_succeed_if.so uid < 500 quiet
account     sufficient    pam_winbind.so use_first_pass
account     required      pam_permit.so

password    requisite     pam_cracklib.so try_first_pass retry=3
password    sufficient    pam_unix.so md5 shadow nullok try_first_pass use_authtok
password    sufficient    pam_winbind.so use_first_pass
password    required      pam_deny.so

session     optional      pam_keyinit.so revoke
session     required      pam_limits.so
session     required      pam_winbind.so    use_first_pass
session     [success=1 default=ignore] pam_succeed_if.so service in crond quiet use_uid
session     required      pam_unix.so
session     optional      pam_mkhomedir.so skel=etc/skel/ umask=0027

/etc/pam.d/sshd

# PAM configuration for the Secure Shell service

# Read environment variables from /etc/environment and
# /etc/security/pam_env.conf.
auth       required     pam_env.so # [1]
# In Debian 4.0 (etch), locale-related environment variables were moved to
# /etc/default/locale, so read that as well.
auth       required     pam_env.so envfile=/etc/default/locale

# Standard Un*x authentication.
@include common-auth

# Disallow non-root logins when /etc/nologin exists.
account    required     pam_nologin.so

# Uncomment and edit /etc/security/access.conf if you need to set complex
# access limits that are hard to express in sshd_config.
# account  required     pam_access.so

# Standard Un*x authorization.
@include common-account

# Standard Un*x session setup and teardown.
@include common-session

# Print the message of the day upon successful login.
session    optional     pam_motd.so # [1]

# Print the status of the user's mailbox upon successful login.
session    optional     pam_mail.so standard noenv # [1]

# Set up user limits from /etc/security/limits.conf.
session    required     pam_limits.so

# Set up SELinux capabilities (need modified pam)
# session  required     pam_selinux.so multiple

# Standard Un*x password updating.
@include common-password