samba - Aug 2007 - SERIOUS PROBLEM - Root Account Locked

My root account keeps getting locked out automatically. I am running 
Samba 3.0.25b on a CentOS server, as PDC with LDAP backend. I have 
accounts set to lock after 8 un-successful login attempts. I zeroed out 
the bad password count, and then in less than a few seconds the account 
gets locked again and a /pdbedit -Lv -u root /yields the following:
Unix username:        root
Logon time:           0
Logoff time:          never
Kickoff time:         never
Password last set:    Wed, 01 Jan 1969 03:00:00 EST
Password can change:  Wed, 08 Jan 1969 03:00:00 EST
Password must change: never
Last bad password   : Wed, 08 Aug 2007 13:51:14 EDT
Bad password count  : 8

If I enter w on the command line, it only shows that two (authorized) 
users are logged into the server. So I'm confident that no one from the 
outside is attempting to log in as root. Below is my conf file. If I go 
into LDAP Account Manager and unlock the account, it will stay unlocked 
for a few minutes (or seconds), then it is locked out again. With the 
account lock I cannot join machines to the domain, nor change domain 
permissions for users and groups. Any suggestions would be helpful.

[global]
        unix charset = LOCALE
        workgroup = glastendernet
        netbios name = aster
        server string = Glastender Domain Controller running %v
        interfaces = eth1, lo, tun+
        bind interfaces only = yes
        os level = 255
        preferred master = yes
        local master = yes
        domain master = yes
        security = user
        time server = yes
        username map = /etc/samba/smbusers
        wins support = yes
        encrypt passwords = yes
        pam password change = yes
        name resolve order = wins bcast hosts
        winbind nested groups = no
        passdb backend = ldapsam:ldap://aster.glastender.com
        ldap passwd sync = Yes
        ldap suffix = dc=glastender,dc=com
        ldap admin dn = cn=Manager,dc=glastender,dc=com
        ldap ssl = no
        ldap group suffix = ou=Groups
        ldap user suffix = ou=People
        ldap machine suffix = ou=People
        ldap idmap suffix = ou=Idmap
        idmap backend = ldap:ldap://aster.glastender.com
        idmap uid = 10000-20000
        idmap gid = 10000-20000
        map acl inherit = yes
        add user script = /opt/IDEALX/sbin/smbldap-useradd -m "%u"
        #delete user script = /opt/IDEALX/sbin/smbldap-userdel "%u"
        add machine script = /opt/IDEALX/sbin/smbldap-useradd -w "%u"
        add group script = /opt/IDEALX/sbin/smbldap-groupadd -p "%g"
        #delete group script = /opt/IDEALX/sbin/smbldap-groupdel "%g"
        add user to group script = /opt/IDEALX/sbin/smbldap-groupmod -m 
"%u" "%g"
        delete user from group script = 
/opt/IDEALX/sbin/smbldap-groupmod -x "%u" "%g"
        set primary group script = /opt/IDEALX/sbin/smbldap-usermod -g 
"%g" "%u"
        domain logons = yes
        log file = /var/log/samba/log.%m
        log level = 0
        syslog = 0
        max log size = 50
        #smb ports = 139 445
        smb ports = 139
        hosts allow = 127.0.0.1 172.16.0.0/255.255.0.0 
192.168.100.0/255.255.255.0
        # User profiles and home directories
        logon drive = U:
        logon path = \\%L\profiles\%U
        logon script = %U.bat
        large readwrite = no
        read raw = no
        write raw = no
        printcap name = /etc/printcap
        load printers = no
        printing        template shell = /bin/false
       winbind use default domain = yes


-- 

*Jason Baker
*/IT Coordinator/


*Glastender Inc.*
5400 North Michigan Road
Saginaw, Michigan 48604 USA
800.748.0423
Phone: 989.752.4275 ext. 228
Fax: 989.752.4444
www.glastender.com <http://www.glastender.com>

-----BEGIN GEEK CODE BLOCK----- 
Version: 3.1
GIT$ d- s: a C++$ LU+++$ P+ L++>L++++ !E--- W+++ N o? K?
w !O M !V PS PE++ Y? PGP- t 5? X+ R+ tv+ b- DI-- D++ G e+ h--- 
r+++ y+++
------END GEEK CODE BLOCK------

Do you have a process (like a service or scheduled task) running on a 
client machine as user 'root' with an incorrect cached password?

Jon Johnson
Sutinen Consulting, Inc.
www.sutinen.com

Jason Baker wrote:
> My root account keeps getting locked out automatically. I am running 
> Samba 3.0.25b on a CentOS server, as PDC with LDAP backend. I have 
> accounts set to lock after 8 un-successful login attempts. I zeroed 
> out the bad password count, and then in less than a few seconds the 
> account gets locked again and a /pdbedit -Lv -u root /yields the 
> following:
> Unix username:        root
> Logon time:           0
> Logoff time:          never
> Kickoff time:         never
> Password last set:    Wed, 01 Jan 1969 03:00:00 EST
> Password can change:  Wed, 08 Jan 1969 03:00:00 EST
> Password must change: never
> Last bad password   : Wed, 08 Aug 2007 13:51:14 EDT
> Bad password count  : 8
>
> If I enter w on the command line, it only shows that two (authorized) 
> users are logged into the server. So I'm confident that no one from 
> the outside is attempting to log in as root. Below is my conf file. If 
> I go into LDAP Account Manager and unlock the account, it will stay 
> unlocked for a few minutes (or seconds), then it is locked out again. 
> With the account lock I cannot join machines to the domain, nor change 
> domain permissions for users and groups. Any suggestions would be 
> helpful.
>
> [global]
>        unix charset = LOCALE
>        workgroup = glastendernet
>        netbios name = aster
>        server string = Glastender Domain Controller running %v
>        interfaces = eth1, lo, tun+
>        bind interfaces only = yes
>        os level = 255
>        preferred master = yes
>        local master = yes
>        domain master = yes
>        security = user
>        time server = yes
>        username map = /etc/samba/smbusers
>        wins support = yes
>        encrypt passwords = yes
>        pam password change = yes
>        name resolve order = wins bcast hosts
>        winbind nested groups = no
>        passdb backend = ldapsam:ldap://aster.glastender.com
>        ldap passwd sync = Yes
>        ldap suffix = dc=glastender,dc=com
>        ldap admin dn = cn=Manager,dc=glastender,dc=com
>        ldap ssl = no
>        ldap group suffix = ou=Groups
>        ldap user suffix = ou=People
>        ldap machine suffix = ou=People
>        ldap idmap suffix = ou=Idmap
>        idmap backend = ldap:ldap://aster.glastender.com
>        idmap uid = 10000-20000
>        idmap gid = 10000-20000
>        map acl inherit = yes
>        add user script = /opt/IDEALX/sbin/smbldap-useradd -m "%u"
>        #delete user script = /opt/IDEALX/sbin/smbldap-userdel
"%u"
>        add machine script = /opt/IDEALX/sbin/smbldap-useradd -w
"%u"
>        add group script = /opt/IDEALX/sbin/smbldap-groupadd -p
"%g"
>        #delete group script = /opt/IDEALX/sbin/smbldap-groupdel
"%g"
>        add user to group script = /opt/IDEALX/sbin/smbldap-groupmod -m 
> "%u" "%g"
>        delete user from group script = 
> /opt/IDEALX/sbin/smbldap-groupmod -x "%u" "%g"
>        set primary group script = /opt/IDEALX/sbin/smbldap-usermod -g 
> "%g" "%u"
>        domain logons = yes
>        log file = /var/log/samba/log.%m
>        log level = 0
>        syslog = 0
>        max log size = 50
>        #smb ports = 139 445
>        smb ports = 139
>        hosts allow = 127.0.0.1 172.16.0.0/255.255.0.0 
> 192.168.100.0/255.255.255.0
>        # User profiles and home directories
>        logon drive = U:
>        logon path = \\%L\profiles\%U
>        logon script = %U.bat
>        large readwrite = no
>        read raw = no
>        write raw = no
>        printcap name = /etc/printcap
>        load printers = no
>        printing >       template shell = /bin/false
>       winbind use default domain = yes
>
>