The lockoutTime for a user is set when the badPwdCount has been reached the account lockout threshold. The lockoutTime will be replicated to all other DCs, which locks the user. The badPwdCount is not replicated, which is correct.
To unlock the user account, the lockoutTime needs to be set to 0. This does also reset the badPwdCount to 0 automatically. This works fine on a one Samba Samba AD DC setup.
And now the bug:
When the reseted lockoutTime (set to 0) is replicated to the other Samba AD DCs, the badPwdCount will not be set to 0.
The Windows AD DC does reset the badPwdCount to 0, when it receives the lockoutTime=0.