Expired accounts are reported as locked out

[AdrianVollmer]

I noticed that a lot of accounts are reported as locked out, which isn't really possible with a lockout duration of 30 minutes. I checked a few accounts and noticed that they have expired months or years ago. This makes the use of --safe pretty pointless. I guess the Kerberos error code ERR_CLIENT_REVOKED doesn't really tell us why the credentials have been revoked, so there is not much that can be done about this. But it could be mentioned in the console output that account isn't necessarily locked, but could also be expired (or possibly disabled?).

[ropnop]

Good point. I can make the error message clearer. Maybe a better implementation of --safe would be to check if we get ERR_CLIENT_REVOKED a certain number of times in a row (maybe 3? 5?). That would more likely indicate that our current scan is causing these and we're locking accounts out one-by-one