Network Attached Storage​

 View Only

 SamLogon: Account domain\login ID on client XX.XX.XX.XX failed to logon with error NT_STATUS_WRONG_PASSWORD (0xc000006a) - mapped to FSBStatus WrongPassword: this event, Id 1000034, (and similar ones) happened 187 times in the last 128.9 min on the CMB1.

Muneer Khan's profile image
Muneer Khan posted 01-25-2023 06:13
Hi Experts, 

we are facing very weird issue on Hitachi HNAS 5200, we are getting following event on HNAS and HNAS is becoming sluggish due to many hits of BAD Password.

HNAS-5200 CIFS: SamLogon: Account domain\login ID on client XX.XX.XX.XX failed to logon with error NT_STATUS_WRONG_PASSWORD (0xc000006a) - mapped to FSBStatus WrongPassword: this event, Id 1000034, (and similar ones) happened 187 times in the last 128.9 min on the CMB1.

not getting any events or autologin scripts, or any software which may be getting triggered for authentication  on DC, and on Domain also we are not getting any event for bad passwords.
in-fact there is group policy to locked the AD ID after certain wrong attempts. 

due to this wired behavior of HNAS 5200, the entire node is getting inaccessible.

any suggestion / work around to overcome on this issue is much appreciable.

Regards
MK
Albert Hagopian's profile image
Albert Hagopian posted 01-25-2023 14:51

Hello Muneer: I see your account in SFDC and that you raised a case back in late Sept '22. In fact, the topic was brought to my attention by local Tech Expert in Oct.

From a very brief review, this topic has lineage to our client barring implementation.

Please do let me know if you cannot access this link; if not we can provide details to your account team SE.

Additionally, one can never have a "one size fits all" answer - ie, the event you posted may not correlate to the same root cause as another customer; according to case notes, beyond the client barring initiative - moving to Kerberos (from NTLM authentication) will also solve the follow-on errors issues.

Lastly, our support center provided methodologies to expand what we term the "paced event log" so that you can stochastically grep this log via SSC in order to see any event statuses that are not covered by the client barring. There was also an inquiry from your team as to the potential use of HNAS ELK integration, though I do not think that inquiry is quite relative to what is being asked in this context.

Muneer Khan's profile image
Muneer Khan posted 01-30-2023 23:52
Hi, 

thanks for the revert, 
client barring is already implemented and surprising its not helping. 

the other observation is the IDs which are already deleted from Active Directory, however we still see event on HNAS . 

"2023-01-30 10:31:18.545+05:30 PacedEventLoggerImplementation(@0x00007F0E1A667000): paced: CIFS: Failed to resolve name:domain\username to SID with error NT_STATUS_NONE_MAPPED (0xc0000073) - mapped to FSBStatus NoUserMapping: this event, Id 1000029, (and similar ones) happened 350 times in the last 83.55 min on the CMB1." 

Also one of the observation from Hitachi onsite engineer is : session are not getting disconnected from Hitachi, its persistent. how do we tweak system to release and reconnect the session if user is ideal or change the  password and coming with new password.

why this event !
Albert Hagopian's profile image
Albert Hagopian posted 01-31-2023 18:16

Muneer, I took a quick loot at diagnostics today and there are plenty of errors. What I cannot ascertain is whether this is relative to the request to move to Kerberos. It appears you may have moved on from client barring, so opening a new case would probably be wise.

you could investigate the CLI commands:

smb2-session-connection-list
connection --delete

<cifs-dc-errors for pnode 1>
Count Command Status FSBStatus 
------ -------------------------- --------------------------------- ----------------
479050 LsarpcSid2Name NT_STATUS_NONE_MAPPED NoUserMapping 
40624 LsarpcName2Sid NT_STATUS_NONE_MAPPED NoUserMapping

Muneer Khan's profile image
Muneer Khan posted 02-01-2023 03:56
Thanks Albert, shared command helped.
the output is as follows 

IN-HOHNAS-1:$ cifs-dc-errors
Count Command Status FSBStatus
------ -------------------------- --------------------------------- ----------------
525098 LsarpcSid2Name NT_STATUS_NONE_MAPPED NoUserMapping
44317 LsarpcName2Sid NT_STATUS_NONE_MAPPED NoUserMapping
12762 SamrOpenUser NT_STATUS_UNSUCCESSFUL FailedToTransmit
6006 NetLogonSamLogonEx NT_STATUS_UNSUCCESSFUL FailedToTransmit
3305 NetLogonSamLogonEx NT_STATUS_NO_SUCH_USER NoSuchUser
1921 NetLogonSamLogonEx NT_STATUS_WRONG_PASSWORD WrongPassword
663 NetLogonSamLogonEx NT_STATUS_ACCOUNT_LOCKED_OUT AccountLockedOut
366 SessionSetupAndTreeConnect NT_STATUS_UNSUCCESSFUL FailedToTransmit
328 NetLogonSamLogonEx NT_STATUS_PASSWORD_EXPIRED PasswordExpired
78 LsarpcSid2Name NT_STATUS_UNSUCCESSFUL FailedToTransmit
49 LsarpcName2Sid NT_STATUS_UNSUCCESSFUL FailedToTransmit
16 LsarpcSid2Name NT_STATUS_NETWORK_SESSION_EXPIRED SessionExpired
4 NetLogonSamLogonEx NT_STATUS_ACCOUNT_DISABLED AccountDisabled
2 NetLogonSamLogonEx NT_STATUS_ACCOUNT_EXPIRED AccountExpired

is there a way in HNAS to identify from which systems some process trying to use deleted IDs to access HNAS , I dont see any event on Active  Directory which for deleted IDs accessing/trying to authenticate on AD.  

regards
MK
Albert Hagopian's profile image
Albert Hagopian posted 02-01-2023 08:53

Muneer, 

Please open a new case with GSC for continued talks.

This forum is not in place to circumvent proper support; what info you seek is esoteric and no one on this forum can assist in diagnosis of your system inquiries (nor should they). I've asked our India Tech Expert to help guide expectations.

Related Content