Re: Failed Login Log - NRM reporting errors, NMAS says no error
a...@novell.com
Hash: SHA1
Everything I see in there that talks about success or failure says success:
NMAS: 1: NDS Login Method Successful
NMAS: 1: WhatNext
NMAS: 1: Successful login
NMAS: 1: NMAS session succeeded
Unless you see something broken it appears to be working. When you are
looking at a lot of messages from the backend utilities you can get what
appear to be errors all of the time... for example, -601 or -603 are both
"error messages" that you will see all day long if you look at the DS
Agent output from trace, but most of the time it's just eDirectory looking
for something that isn't there as part of its regular work and that's fine.
Good luck.
jameswatson3 wrote:
> Oops, I just posted this in eDir - Netware before I noticed this forum.
> I think I'll post here too though.
>
> We recently upgraded eDir from 8.8.4 to 8.8.5 then to 8.8.5FTF1 on both
> Netware 6.5sp8 and OES2SP1 replica masters.
>
> I can't say for certain that it was related to this upgrade, but I have
> recently noticed that multiple Netware servers now show a continuous
> display of Failed Login attempts in the NRM Health Monitor. No users
> have reported issues so I'm not sure if this is possibly cosmetic. When
> I trace LDAP, AUTH and NMAS I get content that appears to indicate
> success:
>
> NMAS: 1: Destroy NMAS Session for reuse
> NMAS: 1: Create NMAS Session
> NMAS: 1: Pregathered information NMAS_AID = 2 ignored
> NMAS: 1: Pregathered information NMAS_AID = 1 value
> *******************
> NMAS: 1: NMAS Client supplied user DN *******************
> NMAS: 1: Actual user DN *******************
> NMAS: 1: Create thread request
> NMAS: 1: Using thread 0x95b8a040
> NMAS: 1: Server thread started
> NMAS: 1: Started login session
> NMAS: 1: Pool thread 0x95b8a040 awake with new work
> NMAS: 1: NCP client address type 1
> NMAS: 1: NCP client address 10 115 2 132
> NMAS: 1: PxySendProxyClientInfo Bad Client MAF Handle
> NMAS: 1: OEM
> NMAS: 1: OEM Verb 3
> NMAS: 1: Verify Only
> NMAS: 1: CanDo
> NMAS: 1: Selected default login sequence == "NDS"
> NMAS: 1: Login Method 0x00000007
> NMAS: 1: Server Module 0x00000007 Get attribute AID: 1
> NMAS: 1: Begin Server Module 0x00000007
> NMAS: 1: Server Module 0x00000007 Get attribute AID: 39
> NMAS: 1: Server Module 0x00000007 Get Password
> NMAS: 1: Server Module 0x00000007 Write
> NMAS: 1: Server Module 0x00000007 XWrite
> NMAS: 1: Server Module 0x00000007 XRead
> NMAS: 1: Server Module 0x00000007 XWrite
> NMAS: 1: Server Module 0x00000007 Read
> NMAS: 1: Server Module 0x00000007 Successful
> NMAS: 1: NDS Login Method Successful
> NMAS: 1: WhatNext
> NMAS: 1: Successful login
> NMAS: 1: NMAS session succeeded
> NMAS: 1: Client Session Destroy Request
> NMAS: 1: Local Session Cleared (Not Destroyed)
> NMAS: 1: Server get data detected that the session was cleared
> NMAS: 1: Server Module 0x00000007 Get attribute AID: 39
> NMAS: 1: Server thread exited
> NMAS: 1: Pool thread 0x95b8a040 work complete
>
> So are these logins really failing? The only mention of the users in
> either LDAP, AUTH, or NMAS reports success. Their is a report of "Bad
> Client MAF Handle" but at the end of the day "successful login" is
> reported.
>
> Does anyone know what this means?
>
>
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v2.0.9 (GNU/Linux)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/
iQIcBAEBAgAGBQJKyinVAAoJEF+XTK08PnB5mAUP/3w6Fw0rSUoJpoo/Ei6ATG0M
CSCfJp0dDao75LVSkdPODmCE3R/LyJn+TFE4EyRGIzpH17wlin7735Qi4RgbRP21
+t4x7YALFf9rg6OJSY/NFfV2KhFaOUGwKxuNf4Q9ELvoFkhcNLp18dSOicUtJNLY
ma5C/MxI249ZAKckgY4ci5yvcAh7+nQbhI79oG/WjNwTYhi9HE9z00Z5xoKWniFN
1wxcsOtUq9duyaYtV4p+QOyX+YIoGueM06HBMCuqV+v4ii/LtvsuLR2v9KeybNNF
yq8Z8VeFHXxuH/IAI7N2SeAQ6KWWJCVIGRt8JyZ+07Os+ATIVabQvH9y0OqNNtZK
5/MhdOXvEbxwXvrUo9ffA/6PGZ2o/PmaBqEBWe1nfi6R6IEOsMB8SBeWueQvPSix
ymThYkuqiAgSvdDAO+c7giGsSbYzp8WRi886j5219V8AOd62A1gRIqu2vwabBsTG
gmmSP4oNnWdWLE4lVL3sEOfHBh8XKuKuqiA/B+K4cjMq9vtGLDL6Apm1jMmAXPeu
KuIiqg7PzFLiPEQg5gYKCulT/kJcTvbY8SyI9YT2u3SsiE17M0P6/v5pDjr50N2a
f9JI/RLCBhIDeDn7VZPS2Qxb6ZH3opG04ocC0fDkxAe0o83MpMsYZEy4Xk5qX5aW
bjtQDbxAHexPBNRZ96Y6
=flmO
-----END PGP SIGNATURE-----
a...@novell.com
Hash: SHA1
Which users are failing that many logins per hour? How many users do you
have in your environment? Find this out first as I imagine it's must more
important than that one line in the NMAS trace. This can easily happen
when a single user used for a service (which authenticates to eDir) is
misconfigured, or when just a couple users are silly with their passwords.
Good luck.
jameswatson3 wrote:
> The thing I see that is broken is the NRM Health Monitor. I now have two
> servers that are in a continuous "red" state due to the constant
> reporting of 100+ failed login attempts per hour.
>
> So are we looking at an edir 8.8.5 or FTF1 bug here? Netware 6.5sp8
> bug? NMAS bug? Or some other correctable condition not related to any of
> the above?
>
>
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v2.0.9 (GNU/Linux)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/
iQIcBAEBAgAGBQJKyrV1AAoJEF+XTK08PnB5kJwP/jEli8VrRG9FG8XHEvp1YgOp
mgW8y3+R5r40VIhvf62iKXMkUxeWaV4SjPFdAvHnX6yQLb+jhm2X/+x2hxnk9bhn
gV2u7aUyySpAxOruIR1mMlHh9GjLSWkZTboEKCO/ru7MWrTIKT/GdSdqr25g3Xcv
7GW9TieOGI4B761Z/6jPGEZNW4mIqE77jLD4t9ZZnRBHJdMn9XqpdY6lMSsQOPQW
q/uPqCR1jRqH/xL/2MPevm+P33pOJcsblEoXz0HKqraqvN+gBLnvem0TOxqtDprg
xcsM4NmYXC9mFIuSL+xA6ROUdSsD7E4R1ObwOTYI+HGNBjw1pT8DHhaMHZ7cuqPA
TtOiZcxnX3dbZ/PLB4WRGvpZLsMFvzpkdnfFeQ6MRa52gfRk+Fsq6priMFFFmVrs
fbN8iGPfSnL/xmvWtpHjT3EPLvSeJMfnH0NKXAntUy2s6tcsLhS4OGL1S6O98N7u
ENvp45HgUVF4t3qUQBLhaQwuZv3FcVjSqHGH89zkg0LCrRHF8XP4UR/5V/48/SJm
AA+4Bof3q/7ZOWYybIZAxvp9WGkkWzFwqUenY8eQTn1lKfYPE35V8erf4H1u3lZT
zEXWNfSxiCZB72FS2zdlDkNyUbjiausHDGzjNrvutL3957xdyL+iVun83gPiyVHa
Bw5WXW3YcfwD1weT0GEC
=aedK
-----END PGP SIGNATURE-----
Peter Kuo
> NRM Health Monitor. I now have two
> servers that are in a continuous "red" state due to the constant
> reporting of 100+ failed login attempts per hour.
there has been some on-going 'issue' of large number of failed logins, but
in some cases where traced to running CIFS on the server - is this your
case? - and I have a feeling is that NRM is simply broken in this regard
(failed logins).
--
Peter
eDirectory Rules!
http://www.DreamLAN.com
Jim Willeke
(LDAP, Novell Client SMB, ???)
If they are using LDAP, turn on LDAP in dstrace and see if you see the
failures there.
Is it possible there are passwords other than Universal being used
successfully? Like NDS or Simple?
-jim
On 10/14/2009 12:36 PM, Rmurphy24 wrote:
> I'm having a similar problem. I have a single server tree that is used
> for our ldap applications. All users are in one OU and this tree is
> synch'd up w/ our production tree using dirxml (hey, it works!). I just
> noticed that we're getting anywhere from 50-100 failed login attempts
> per hour, all w/ the IP address being the server itself, and the user
> being "unknown".
>
> In doing some DSTRACE's, we found the following:
> 11:07:40 49734200 Auth:<0x1> LocalLoginRequest. Error cannot go remote
> (-779), conn: -1.
> 11:07:40 49734200 LDAP: Failed to resolve full context on connection
> 0x44e5ce00, err = no such entry (-601)
> 11:07:40 49734200 LDAP: Failed to authenticate full context on
> connection 0x44e5ce00, err = no such entry (-601)
> 11:07:40 49734200 LDAP: Cannot resolve NDS name
> 'CN=unknown.OU=Employees.OU=***.O=***.C=***' in ResolveAndAuthNDSName,
> err = no such entry (-601)
> 11:07:40 49734200 LDAP: Base
> "cn=unknown,ou=Employees,ou=***,o=***,c=***" not found, err = no such
> entry (-601)
>
> Any idea if this is a real problem? I'm not hearing from any users that
> they are unable to get into the applications, but the server is always
> red in NRM.
>
>