Account is locked when authenticating. Pam_tally2 locks the account when the user authenticates regardless of if the login was successful or unsuccessful. User is unable to authenticate again until the account lock has been cleared.
User ID' were locking / unlocking automatically.
The PAM Tally module is part of all Linux distribution. Pam_tally and pam_tally2 are PAM modules that maintains a count or tally of attempts to access.
Pam_tally is used for extra security for stopping authentications after so many tries. It will then lock out the account. pam_tally is not required to be used with authentication services and can be commented out of stack. However if it is used, accounts will need to be managed according to its man page and documentation. Do ‘man pam_tally2‘ from the command line to know more about it.
Configuration of Pam tally is outside the scope of QAS Technical support, please refer to the operating system vendor for information on configuration or removal of pam_tally2.so
If you are going to use pam_tally2, it should be above the pam_vas lines in both the auth and account stanzas of the pam stack.
To reset a user:
pam_tally2 --user <username> --reset
Show all of the accounts with locks:
Unlock all accounts with: