For the love of ${Diety}, don't adjust the common-* parts of the PAM stack when experimenting with a new authentication setup. It is the fastest, easiest way to Hole Hawg yourself. You could potentially lock yourself out of the system permanently because of a chicken-and-egg scenario: you are locked out of the system, but you need to log into the system to make the changes needed to prevent you from being locked out.
Consider experimenting on a single service, like SSH (assuming you have console access nearby). Once you have the service prototyped/configured to your exact requirements, don't apply it right away to the common-* files, instead, consider what impact it will have on other system services. Remember, common-* acts as a "catch-all" for most configurations and a single mistake here means a visit to the rescue CD to get it unlocked again. Once you have a good handle on how the config will interact with different services that depend on the system's default(s), then apply it.
Another point to consider is that if you are making this change to common-* to facilitate SSO for all services on the box, it will not catch every service, some services have their own authentication setup and you'll need to check those as well.
As far as the console messages are concerned, what has happened is that winbind is contacting your AD controller, which is seeing excessive failed login attempts. After 15 attempts (which I believe is the out-of-box number MS uses) the account is locked for a period of time, unless an administrator unlocks the account. This is why you're getting "account locked" messages when you log in - the winbind portion of your stack is failing the authentication attempts, and the process "falls through" to the next step in the stack.
I would look hard at your winbind settings to determine that the authentication is truly succeeding in the first place. If you're submitting credentials from a domain member that the AD controller doesn't like, it doesn't matter if the password is correct or not - sooner or later, the account will lock because the request is originating from what is perceived as a non-domain member. The first thing to check would be winbind's join to the domain, as this will affect if the credentials are even looked at. I would also look at how your administrative account is handled by winbind - I seem to recall there were one or two additional settings that were required to ensure proper behavior (I'll dig them out and re-edit when I have them...)
I would also recommend setting up a secondary password on the local linux box, using /etc/passwd, so that you have "fail-though" athentication. Should the winbind service fail to authenticate (and it has in this case) /etc/passwd will pick up the slack and allow you in. The fact that you're able to still get in seems to indicate that you've already done this by setting the local password the same as the AD password for the account your using.
Also consider installing another safety valve in the form of a sudo entry, so that a single, specific account will allow you to switch into root via sudo su.
The /etc/pam.d/system-auth file is used by Red-Hat and like systems to group together common security policies. It is often included in other /etc/pam.d policy files where those common policies are required.
When accessing a system via ssh through sshd, the /etc/pam.d/sshd policy file is consulted. This file includes /etc/pam.d/system-auth so your changes to /etc/pam.d/system-auth are valid.
The file /etc/pam.d/login is consulted when you log in via the /bin/login program therefore any changes to it only affect /bin/login.
Best Answer
pam_securetty is a PAM module that allows root logins only if the user is logging in on a "secure" tty, as defined by the listing in /etc/securetty. pam_securetty also checks to make sure that /etc/securetty is a plain file and not world writable.
telnet and ftp call login, and you probably already have /etc/pam.d/login including pam_securetty