Samba server is a member of an Active Directory domain where an account with userid "administrator" has been purposely locked out for security reasons. When logged on a Windows computer as local administrator (local account userid is "administrator"), then trying to connect to a Samba share with "guest ok = Yes" parameter, the connection is denied with the message: "The referenced account is currently locked out and may not be logged on to." The Samba server is trying to authenticate the Windows computer's local administrator against the Active Directory account, rather than recognizing it as a unique account and allowing it guest access. This did not occur in Samba 2.x, and this is not the behavior of Windows servers.
you can set 'auth methods = guest sam_ignoredomain winbind:ntdomain' to work around this. Without more people complaining, there are no plans to change the current behavior. Sorry.