I have this weird problem I have experienced twice on rhel6, and once on rhel7. Let's say that I have a user account I use to log into the system. We'll call it sys1. What happens, is that the account will lock, and I have to use another account to unlock it. We'll call that account sys2.

Here is the strange part. I can't ever seem to unlock the account. I can reset it with pam_tally2, I can change the password from root, but I can't log into the account any more. Ever. The password is no longer recognized.

For example:
# pam_tally2 --reset
sys1 5 failed logon attempts
# pam_tally2
# passwd sys1
Password:
Password:
All authenticators changed.
# su - sys2

sys2> su - sys1
Password:
<fails because I use sys1 password>

sys2> sudo su - sys1
Password:
<succeeeds, because I use the sys2 password>

What I end up doing is creating a new account, say sys3, so that I can have two accounts in case I need to get an account lockout. I have tried deleting the account, and it didn't make any difference. It's almost like it is tracking the lockout somewhere else.

I've searched, but I'm not really sure how to narrow down this problem. Any ideas?