Enable Web Access to Connectors

Web Access to Connectors allows users to see a Connectors tab in the ShareFile web app where they can browse, upload and download documents stored in on-premises SharePoint document libraries or CIFS file servers, as well as certain Personal Cloud Connectors. Depending on your plan, this feature may be disabled by default.

To enable the feature, please send a request to ShareFile Customer Support.

Requirements

Related:

Cisco Firepower Threat Defense Software SMB Protocol Preprocessor Detection Engine Denial of Service Vulnerabilities

Multiple vulnerabilities in the Server Message Block (SMB) Protocol preprocessor detection engine for Cisco Firepower Threat Defense (FTD) Software could allow an unauthenticated, adjacent or remote attacker to cause a denial of service (DoS) condition.

For more information about these vulnerabilities, see the Details section of this advisory.

Cisco has released software updates that address these vulnerabilities. There are no workarounds that address these vulnerabilities.

This advisory is available at the following link:
https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20190501-frpwr-smb-snort

Security Impact Rating: High

CVE: CVE-2019-1696,CVE-2019-1704

Related:

DLP 15.1 Network Discover and Prevent – .PDF data extraction with out OCR server?

I need a solution

Does anyone know if Symantec DLP 15.1 Network Discover Scans can extract data from .pdf files without an OCR server?   We often get the Text Extraction Failed for PDFs during Data at Rest Scans ( CIFS ) and were wondering if an OCR server is needed to process .PDFs during data at rest scans.   Bellow, is an example of of one of the errors we get from the “ContentExtractionHost_FileReader.log”.

| WARN  | cehost | Service [9084] | [5500] | Text extraction failed: type = ‘pdf’, container=’0′, encrypted=’0′, Exception thrown from : TextExtractionRequestExecutor.cpp(146) | CEService.cpp (190)
 

0

Related:

Open Enterprise Server 2018 SP1 – Now Available!

Nick Scholz

Micro Focus is pleased to announce the availability of Open Enterprise Server 2018 Service Pack 1, which includes plenty of exciting features and enhancements. Open Enterprise Server 2018 SP1 Highlights include: CIFS Performance/Specification Compliance – Folder Redirection allows users to redirect the path of a known folder to NSS AD network file share. Users can then …

+read more

The post Open Enterprise Server 2018 SP1 – Now Available! appeared first on Cool Solutions. Nick Scholz

Related:

7022780: Get the most out of Novell Open Enterprise Server 2015

  • Maximum Cached Sub-directories Per Volume: 1024000

    This is settable by executing “novcifs -k SDIRCACHE=1024000” as root.
  • Maximum Cached Files Per Subdirectory: 102400

    This is settable by executing “novcifs -k DIRCACHE=102400” as root.
  • Maximum Cached Files Per Volume: 2048000

    This is settable by executing “novcifs -k FILECACHE=2048000” as root.

If you however are experiencing inaccessible CIFS shares, CIFS stops listening or communicating, becomes unresponsive or the novell-cifs daemon hangs or other CIFS or novell-cifs daemon related issues, please check TID 7008956 “Troubleshooting and Debugging CIFS on Open Enterprise Server”.

In the lifespan of OES2015 a memory leak was addressed in the NMAS code used for and by the novell-cifsd.

The code on disk is part of the oes2015sp1-July-2017-Scheduled-Maintenance patch, or later.

More details on how to check and when required update the code in the eDirectory can be found in TID 7022690 “ndsd memory leak caused by novell-cifs nmas authentication method on OES2015.1”



NAMCD (LUM):

As several services rely on the Novell Authentication Module for their authentication to the eDirectory it is recommended to tune this so it uses preferably the local server if this has a local replica, or a server on the local subnet that does have a replica of the needed tree partitions.

By default the “preferred-server” is set to the first Novell Open Enterprise Server that was installed in the eDirectory tree, so there is a huge chance this parameter requires adjustment.

To get the current namcd configuration execute as root:

namconfig get

If the preferred-server value does not point to the local ip address (which is preferred even when the server does not have a local replica), or an IP address of a server on the same physical subnet, this can be changed with the following sequence of commands as root:

namconfig set preferred-server=[local ip address (*)]

namconfig -k

namconfig cache_refresh

(*) When in doubt use ‘ndsconfig get’ and use the ip address listed in n4u.server.interfaces without the @524.

Alternatively, if the server does not have a local replica, it is also possible to add one or a couple alternative LDAP servers.

Adding a single alternative LDAP server is possible by executing this command as root:

namconfig set alternative-ldap-server-list=[ds-server01]

Adding more than one alternative LDAP server is possible using a comma separated list and can be accomplished by executing the following command as root:

namconfig set alternative-ldap-server-list=[ds-server01],[ds-server02],[ds-server03]

The usage of alternative LDAP servers for LUM can also be used to make LUM more scalable.

It is also recommended to turn persistent search off and cache-only on.

This can be accomplished by executing these commands as root:

namconfig set persistent-search=no

namconfig set cache-only=yes


As the namconfig cache_refresh includes a restart of the namcd there is no need to restart this daemon to enable these changes.

For the other changes and tunings to be enabled, it is recommended to restart the namcd.

NSS.

Although it is required to tune Novell Storage Services to the requirements of the environment it is being used, these are some tunings worth considering:

– Increase the NSS IDCacheSize to 128K, this can be accomplished by executing, as root:

nsscon /idcachesize=131072

– Disable the Access Time by executing the following line as root:

nsscon /noatime=[volume name]

– From OES2SP2 onwards the Unplugalways parameter has a default value set to “off”. If this is not the case, disable it by executing as root:

nsscon /nounplugalways

More details can be found in “UnplugAlways Command for the Read Queue” in “Cache Management Commands” of the “NSS Commands” section in the OES2015 Documentation.


In order to make these tunings persistent they must be added (as by default they are not there) to the /etc/opt/novell/nss/nssstart.cfg, though make sure to make no typos in this file, as they can cause novell-nss to fail to start.

Make sure that all unmarked entries in this file start with “/” and not “nss /“.

Using nssmu, launched as root, increase the “read ahead blocks” for all nss volumes from the default value of 16 to 64.

If over time this appears to be insufficient, this can be increased to 128. It is not really recommended to go beyond this value, as it may have a negative impact on the performance.

This change is activated “on the fly”, and does not require a server restart.
Furter information regarding tuning NSS performance can be found in “Tuning NSS Performance” in the “NSS File System Administration Guide for Linux” of the OES2015 Documentation.

During the lifespan of a NSS Volume it is recommended to preserve at least 10% to 20% free space. Available purgable disks pace does not equal to true free disk space that is available.

Once a volume drops below these thresholds and there is insufficient true free disk space is available to the system to write data, a background process starts calculating what is the oldest deleted data that can be purged for the system in order to make space available for the new data to be written to disk..When there are large amounts of purgable data, nearly no true free space and large amounts of data is written this calculation process becomes a thread that will cause continuous I/O, performance degradation and other unwanted phenomena up to data corruption or loss.

For this reason it is recommended for NSS volumes hosting services with a high usage of temporary files to mark either the folders used for temporary storage or the volume as “purge immediate”, basically disabling salvage for those directories or the volume.

When a volume passes these thresholds it is recommended to either expand the pool and volume, delete obsolete data but a temporary measure may be to manually purge the volume.

This can be accomplished by executing the following command as root:

ncpcon purge volume [volume name]

However, as storage areas have become greater over time, grown into the terabytes (TB) keeping 20% free space might be a bit too much.

In case the NSS Pool size is in the TBs or larger, it might be worthwhile to consider lowering the PoolHighWaterMark and PoolLowWaterMark that is used for these large NSS Pools.

More details on this can be found in the “Salvage and Purge Commands” of the OES2015 documentation

After adjusting the PoolHighWaterMark and PoolLowWaterMark the behavior of the server will be the same when dropping below the set WaterMarks.

SMS (tsafs / backup)

In case you are suffering from slow performing back-up, or regressing back-up speed, the documentation for optimizing sms on OES2015 can be found in “Optimizing SMS” in the “Storage Management Services Administration Guide for Linux” of the OES2015 Documentation.

NCS:

In a cluster environment, where a single OES2015 server might be hosting several NSS, NSSforAD, NCP and CIFS volumes at once, it is recommended to use lower cache values compared to a standalone OES2015 server.

The OES2015 cluster node must be able to handle the cache and memory requests when it is hosting all cluster resources at once.

All the previous steps should also address most issues seen with OES2015 servers running Novell Cluster Services and their cluster-enabled resources.

Non the less, if you are suffering from random split brains, without a physical reason (LAN or SAN outage), it would be advisable to investigate if there are time-jumps (back and or forward) caused by the CPU. Clock Jumps can occur on physical and virtual CPU’s and is not restricted to either of those.

In some cases where Novell Cluster Services are not starting up properly at boot-up, it is recommended to alter the /etc/sysconfig/boot so it reads RUN_PARALLEL=”no”.

This to allow the Novell services to start in their proper sequence and is the default for OES2015.




PKI (Certificate Server)
:

During the installation of any OES server, a couple default Server Certificates are generated.

These are by default valid for 2 years. After this period, when the certificates expire the server and all servers that use the server as LDAP source will no longer be able to access the required eDirectory information and all services that rely on it will fail.

Therefor it is recommended to validate the Default Server Certificates when some or all services of a particular server fails as one of the troubleshooting steps. If the failing server is using a different server as preferred_server, or LDAP source, that particular server’s Default Certificate Material should be checked too.

The LDAP servers that the server might be using are listed under /ets/sysconfig/novell/ldap_servers/ though it is recommended to also check each service to determine which LDAP server it is using, as they may differ.

A method of validating the Default Certificates of a server is via iManager.

This can be accomplished under the “Novell Certificate Access”, the “Server Certificates” task.

If one or more certificates is deemed invalid, the next step would be to repair these.

This task can be accomplished under “Novell Certificate Server”, the “Repair Default Certificates” task.

More details on this can be found in TID 7000075 “SSL Certificates expire after two years, affecting OES Services”


In case the LDAP server being used is a Novell NetWare server, these tasks can also be accomplished using the pkidiag.nlm


After the Certificates were replaced or repaired, it is recommended to at least restart the ndsd (rcndsd restart) so the server is using the new certificate for it’s LDAPS communication and run a namconfig -k to update the certificate that namcd is using.


A more sustainable option might be to enable “Self-Provisioning” for the Certificate Authority (CA) of the tree.

This feature is described here in the Novell Documentation.

Enabling this for the CA of the tree, this feature is enabled for all servers in the tree that use this CA.

As soon as the server or it’s ndsd is restarted it will be aware that “Server Self Provisioning” is enabled.

With this feature enabled, the certificates that are expired or about to be expired are extended automatically when executing either:

ndstrace

unload pkiserver

load pkiserver

or

rcndsd restart


Anti-Virus scanners:

When an Anti-Virus suite is installed, try to avoid the usage of “on access” scanning, as this can create a severe overhead.

The Anti-Virus suite, running either locally or remotely, should be excluded from scanning system crucial directories like the ._NETWARE of all NCP exported filesystems (both NSS and POSIX), /_admin and the Linux System directories.

In case Novell Cluster services is installed, /admin should also be excluded from being scanned by the anti-virus.

In case Novell GroupWise is installed, all repository and queue directories should be excluded from being scanned by the anti-virus as well. Novell GroupWise stores it’s information in an encrypted way, so scanning the physical files stored on disk is unnecessary and can even cause severe problems like file locking or even corruption.

There are several Anti-Virus suites that can scan inside the Novell GroupWise mail storage and / or incoming e-mail.

Related:

Upgrading OE on Unity that is configured for file services only

it depends what you understand as “disrupt connectivity”

a reboot – no matter how fast – will always be kind of disruptive on the lower levels

and a client will have to at least re-establish the TCP connection

The question is more how much of that is visible to the client OS and application

NFS clients using default hard mounts will just see a pause in I/O but no error to applications

The OS and protocol stack will of course re-establish the connection, recover locks, ….

for CIFS clients it depends on the application and OS

Windows itself will automatically reconnect

cluster aware application that retry internally should be ok

simple applications like copying files via explorer.exe can stop and show a “Try again” dialog

For those application that really require transparent failover – like SharePoint or Hyper-V over SMB shares you can enable SMB CA (Continuous Availability) per share

then they will also just pause and resume I/O similar to NFS

See the NAS white paper and Microsoft details about CA in SMB3

Why dont you just try it ??

all an upgrade is doing is a SP reboot – which you can easily do even from the GUI

If you dont want to use your hardware Unity as VSA will show the same behaviour

Related:

Re: Re: unity migration vdm,usermapper,multiprotocol questions

castleknock wrote:

This differs from VNX behaviour as secmap created a local UID reference to ‘hide’ the lack of a unix account rather than simple deny SMB access Is this a correct read ? and it so explains the lack of any references to secmap import during VNX migration.

the different isnt in secmap

secmap is not a mapping method – its merely a cache so that we dont have to do repeated do calls to external mapping source which can take time

The difference is with usermapper

usermapper was only every meant to as a mapping method for CIFS only file systems but on VNX/Celerra this wasnt enforced.

The manuals told you clearly to disable usermapper if you are doing multi-protocol but many customers didnt do that – either because they didnt know of out of convinience

So they are using a config where some users were mapped through the AD/NIS/ntxmap and the ones that couldnt got a uid from usermapper

In Unity we improved this:

usermapper is per NAS server – and not globally per data mover

by default usermapper is disabled for multi-protocol NAS server

instead we add options for default Unix/Windows user that get used if AD/NIS/ntxmap are unable to map the user – which didnt exist in VNX/Celerra

So if you use the default on a multi-protocol NAS server and we cannot map a user then access is denied

You an then either:

– make sure this user is covered by the mapping sources

– configure the default Unix user

– enable automatic user mapping (usermapper)

this is explained in detail with flowcharts in the multi-protocol manual that I mentioned

keep in mind though that just enabling usermapper like on VNX is convinient but it also makes changes and troubleshooting more difficult

This is because secmap entries never expire or get updated

For example if a user connects to a NAS server before you have configured its account in AD/NIS/ntxmap mappings he will get a UID from usermapper

Then if later the admin adds the account to AD/NIS/ntxmap this account will still use the uid from usermapper for this NAS server but on a new NAS server the uid from the mapping source

Also since usermapper is now per NAS server the same user will get different uid’s on different NAS servers

bottom line – if you want full multi-protocol then use a deterministic mapping method and not usermapper

Related:

Dell EMC Unity CIFS server is inaccessible due to error “No Response from KDC” (Dell EMC Correctable)

Article Number: 524955 Article Version: 2 Article Type: Break Fix



VNX1 Series,VNX2 Series,Dell EMC Unity Family

  • The CIFS server on Unity is not accessible

    Unity /EMC/C4Core/log/c4_safe_ktrace.log [indicates errors] below:

2018/08/20-15:48:29.177142 10 7FF16C907703 sade:KERBEROS: 4:[VDM] WARNING: no response from KDC xx.xx.xx.xx

2018/08/20-15:48:29.532994 5540 7FF16C96D705 sade:SMB: 4:[VDM] Unsupported authentication mode: authMethod:4, kerberosSupport:1, negoMethod:0

2018/08/20-15:48:29.533033 40 7FF16C96D705 sade:SMB: 3:[VDM] OpenAndBind[NETLOGON] DC=xxx failed: Bind_OpenXFailed NO_SUCH_PACKAGE

2018/08/20-15:48:29.533042 10 7FF16C96D705 sade:SMB: 3:[VDM] Can’t open NETLOGON file for DC=xxx

2018/08/20-15:48:29.760148 6 7FF16C96D703 sade:KERBEROS: 3:[VDM] krb5_sendto_kdc: udp RecvFromStream from addr xx.xx.xx.xx failed 91

  • Unity EMCSystemLogFile.log [indicates errors]:

“2018-08-20T15:50:53.588Z” “xxx_spa” “Kittyhawk_safe” “356” “unix/spa/root” “WARN” “13:10380008” :: “For the NAS server xxx in the domain xxx, the DC xxxhas the following error: compname xxx DC=xxx Step=’Logon IPC$’ get Kerberos credential failed, gssError=Miscellaneous failure. Cannot contact any KDC for requested realm. . compname xxx DC=xxx Step=’Open NETLOGON Secure Channel’ ‘ ‘ ‘DC cannot open NETLOGON pipe: status=DOMAIN_CONTROLLER_NOT_FOUND ‘. ” :: Category=Audit Component=DART_SMB

For some reason (firewall or MTU settings), the Kerberos ticket from Domain Controller cannot be delivered to the Datamover/SP Interface via UDP. From the network trace, there is only TGS-REQ but no TGS-REP.

User-added image

Force the Unity ‘nas server’ that is located on a SP [service processor] to use ‘TCP’ instead of ‘UDP’ for Kerberos TGS-REQ.

For Unity:

/nas/bin/server_param ALL -f security -m kerbTcpProtocol -v 1

For VNX:

server_param server_x -f security -m kerbTcpProtocol -v 1

This change takes effect immediately, no reboot is required.

[If issue was for a VNX filer] the server_log shows errors below:

2018-08-14 12:16:04: SMB: 6:[xxx] DC0x034134c008: setDCDown DC, refresh if needed (origin=ntStatus_DisconnectDC_onClose)

2018-08-14 12:16:05: KERBEROS: 4:[xxx] WARNING: no response from KDC xx.xx.xx.xx

2018-08-14 12:16:05: SMB: 3:[xxx] Thrd=2SMB334 KC_buildKrbCred Cannot create context for ‘CIFS/xxxx@xxxx.xxx’ failed, error=’Miscellaneous failure. Cannot contact any KDC for requested realm. ‘ (0xd0000,-1765328228)

2018-08-14 12:16:05: SMB: 3:[xxx] DC_GetBlob Srv=xxx Svc=CIFS@xxsx.xxx ‘Miscellaneous failure. Cannot contact any KDC for requested realm. ‘

2018-08-14 12:16:05: SMB: 3:[xxx] Open&Bind(lsarpc): No reply from DC=xxx DCStatus=27/ACCESS_DENIED Ems=Bind_CreateXFailed

Related:

Dell EMC Unity: CIFS server is in Degraded mode and not fully functioning (Customer Correctable)

Article Number: 524889 Article Version: 2 Article Type: Break Fix



Dell EMC Unity Family

The CIFS server is in Degraded mode and not fully functioning.

1. The Security tab of file properties shows SID instead of names.

2. The CIFS server may become inaccessible.

3. EMCC4Corelogc4_safe_ktrace.log shows errors like below:

2018/08/16-20:53:04.961645 41K 7F1390BE9709 sade:KERBEROS: 3:[vdm] acquire_accept_cred: Failed to get keytab entry for principal CIFS/xxx.xxx

2018/08/16-20:53:04.961648 ~~~~ 7F1390BE9709 sade:KERBEROS: 3:[vdm] xx.xxx@xx.xxx – error No principal inkeytab matches desired name (39756033)

2018/08/16-20:53:05.477279 ~~~~ 7F1390BE9709 sade:SMB: 4:[vdm] Unsupported authentication mode: authMethod:4,kerberosSupport:1, negoMethod:0

The Host (A) entry in DNS is different from the computer name of the CIFS server, and was not added in the keytab or SPN list. For example, the computer name of the CIFS server is “example.dell.com”, but it is configured like this in DNS:

Name Type Data

example_alias Host (A) 5.6.7.8

example Alias (CNAME) example_alias.dell.com

In the output of “/nas/bin/server_cifs <vdm> -setspn -list -compname <comp_name>”, there is no SPN called “example_alias”.

There are two options;

Option 1. Make sure the Host (A) entry is identical to the computer name of the CIFS server. If the users want to access via other names, configured them as Alias (CNAME):

Name Type Data

example Host (A) 5.6.7.8

example_alias Alias (CNAME) example.dell.com

Option 2. Run “/nas/bin/server_cifs <vdm> -setspn -add <SPN> -compname <comp_name> -domain <full_domain_name> -admin <admin_name>” to add the Host (A) entry in SPN.

Related:

Dell EMC Unity: Common CAVA Errors (User Correctable)

Article Number: 524675 Article Version: 3 Article Type: Break Fix



Dell EMC Unity Family,Dell EMC Unity 300,Dell EMC Unity 300F,Dell EMC Unity 350F,Dell EMC Unity 400,Dell EMC Unity 400F,Dell EMC Unity 450F,Dell EMC Unity 500,Dell EMC Unity 500F,Dell EMC Unity 550F,Dell EMC Unity 600,Dell EMC Unity 600F

Common Errors, Causes and Actions

Error: AUTH_ERROR 5

server_X :

10 threads started.

1 Checker IP Address(es): xx.xxx.xxx.xx AUTH_ERROR 5 at Wed Feb 29 13:23:03 2012 (GMT-00:00)

MS-RPC over SMB, CAVA version: 4.9.3.0, ntStatus: SUCCESS

AV Engine: Symantec AV

Server Name: cava.example.com

Last time signature updated: Web Feb 29 13:20:23 2012 (GMT-00:00)

Cause:The account being used for checking does not have the virus checking privilege assigned to it.

Actions: Ensure that the CAVA service in services.msc is set to logon as a user and not a local system account.

_____________________________________________________________________________________________________________________________________________________________

Error: ERROR_AUTH 64

server_X :

10 threads started.

1 Checker IP Address(es): xx.xxx.xxx.xx ERROR_AUTH 64 at Wed Feb 29 13:23:03 2012 (GMT-00:00)

MS-RPC over SMB, CAVA version: 4.9.3.0, ntStatus: SUCCESS

AV Engine: Symantec AV

Server Name: cava.example.com

Last time signature updated: Web Feb 29 13:20:23 2012 (GMT-00:00)

Cause: Kerberos error caused by out of sync ‘Time’ between the Data Mover and Anti-Virus Server

Action: Implement NTP or sync ‘Time’ manually.

_____________________________________________________________________________________________________________________________________________________________

Error: AUTH_ERROR 86

server_X :

10 threads started.

1 Checker IP Address(es): xx.xxx.xxx.xx AUTH_ERROR 86 at Wed Feb 29 13:23:03 2012 (GMT-00:00)

MS-RPC over SMB, CAVA version: 4.9.3.0, ntStatus: SUCCESS

AV Engine: Symantec AV

Server Name: cava.example.com

Last time signature updated: Web Feb 29 13:20:23 2012 (GMT-00:00)

Cause: Password inconsistency between the CAVA service and user password in AD. / e.g. : Password expired and was changed, but was not updated on the CAVA service.

Action: Right-click the EMC CAVA service inservices.msc> Properties > Log On tab > update the user password to reflect that in AD.

_____________________________________________________________________________________________________________________________________________________________

Error: AUTH_ERROR 1265

server_X :

10 threads started.

1 Checker IP Address(es): xx.xxx.xxx.xx AUTH_ERROR 1265 at Wed Feb 29 13:23:03 2012 (GMT-00:00)

MS-RPC over SMB, CAVA version: 4.9.3.0, ntStatus: SUCCESS

AV Engine: Symantec AV

Server Name: cava.example.com

Last time signature updated: Web Feb 29 13:20:23 2012 (GMT-00:00)

Cause: The user account that CAVA uses has expired in AD – won’t be able to login to the server at all using the credentials.

Action: Unlock the account and set it to never expire and try again.

_____________________________________________________________________________________________________________________________________________________________

Error: ERROR_AUTH 1326

server_X :

10 threads started.

1 Checker IP Address(es): xx.xxx.xxx.xx ERROR_AUTH 1326 at Wed Feb 29 13:23:03 2012 (GMT-00:00)

MS-RPC over SMB, CAVA version: 4.9.3.0, ntStatus: SUCCESS

AV Engine: Symantec AV

Server Name: cava.example.com

Last time signature updated: Web Feb 29 13:20:23 2012 (GMT-00:00)

Cause: Password for the account running CAVA has expired.

Action: Reset the password and set it to never expire. Make any changes to CAVA service as required.

_____________________________________________________________________________________________________________________________________________________________

Error: AUTH_ERROR 1331

server_X :

10 threads started.

1 Checker IP Address(es):
xx.xxx.xxx.xx AUTH_ERROR 1331 at Wed Feb 29 13:23:03 2012 (GMT-00:00)

MS-RPC over SMB, CAVA version: 4.9.3.0, ntStatus: SUCCESS

AV Engine: Symantec AV

Server Name: cava.
example.com

Last time signature updated: Web Feb 29 13:20:23 2012 (GMT-00:00)

Cause: The user account for CAVA has been disabled in AD or is only allowed to logon during certain hours.

Action: Re-enable account and remove any logon restrictions in AD.

_____________________________________________________________________________________________________________________________________________________________

Error: AUTH_ERROR 1909

server_X :

10 threads started.

1 Checker IP Address(es): xx.xxx.xxx.xx AUTH_ERROR 1909 at Wed Feb 29 13:23:03 2012 (GMT-00:00)

MS-RPC over SMB, CAVA version: 4.9.3.0, ntStatus: SUCCESS

AV Engine: Symantec AV

Server Name: cava.example.com

Last time signature updated: Web Feb 29 13:20:23 2012 (GMT-00:00)

Cause: User account locked due to too many invalid login attempts.

Action: Unlock account/reset password. Make any changes to CAVA service as required.

_____________________________________________________________________________________________________________________________________________________________

Error: AV_NOT_FOUND

1533198284: VC: 5: xx.xxx.xxx.xx AV_NOT_FOUND at Thu Aug 2 08:24:39 2018 (GMT-00:00)

1533198284: VC: 5: HTTP, CAVA version: 8.5.1.0

1533198284: VC: 5: AV Engine: Unknown third party antivirus software

1533198284: VC: 5: Server Name:
xx.xxx.xxx.xx

Cause:

AV_NOT_FOUND indicates that the viruschecking service on the VDM cannot communicate with the CAVA client on the AV server.

You must assign local administrative rights to the AV user on each AV server in order to successfully start CAVA and the viruschecking service on the Data Mover.

The “OpenProcess” failing usually indicates that the “emc cava” service is running in a user context that has not been given “local admin” rights on the system or that some rights are missing on that group. The “local admin” account on CAVA systems doesn’t have the “SeDebug” right (debug programs) that is needed by CAVA facility to track state of AV engines.

Action:

Please follow:

  1. Recommended Troubleshoot for AV_NOT_FOUND at the Resolution Section, in this article.
  2. Document “Using the Common Event Enabler on Windows Platforms“:
  • Restricted Group GPO – page 13
  • Assign rights – page 23

Background Explanation

  • The Active Directory (AD) Domain Controller (DC) doesn’t allow anonymous access with the CIFS server machine account as it should be performing with NTLM and machine accounts.
  • Other DC’s in the environment may allow for anonymous access to the CAVA user with the CIFS server machine account.
  • The authentication method between the Virtual Data Mover (VDM) and DC is NTLM (Microsoft) however Kerberos could also be used.
  • The DC in the environment should allow anonymous access as part of establishing a secure channel between the VDM and the DC.
  • Other option is to configure the AV servers to use Kerberos authentication instead of NTLM.

Background Events

  • The AV servers are not being authenticated by the AD DC.
  • The VDM server logs an error whenever the authentication to the DC fails for the Viruschecker Domain user.
  • With NTLM Authentication the VDM must forward the user’s credentials on to a Domain Controller (pass-through authentication) using DCERPC NetrLogonSamLogon asking it to authenticate the user.
  • The DM is using the computer account of the CIFS Server for DCERPC NetrLogonSamLogon function
  • The DC will treat access using the computer account as equivalent to anonymous access.
  • This can be seen in the network trace when the DM is sending the pass-through authentication to on the DC’s.

Recommended Troubleshoot for ERROR_AUTH:

  • Confirm the domain CAVA user has sufficient rights, which means, it’s correctly added to the local CAVA group on the Data Mover and assigned the EMC Virus-Checking privilege.
  • For details on the correct configuration, visit our Support Page at https://www.dell.com/support and look for “Using the Common Event Enabler on Windows Platforms”.
  • For more information, investigate MicroSoft Developer Network at https://msdn.microsoft.com for a complete list of Microsoft error codes.
  • In that list, look for the numerical code that follows the “ERROR_AUTH” message and check its definition.

_____________________________________________________________________________________________________________________________________________________________

Recommended Troubleshoot for AV_NOT_FOUND:

  • Confirm viruschecker.conf settings.
  • Confirm The CAVA service is running with the AV user account.
  • Confirm the installed Anti-Virus (TrendMicro, McAfee, others) service is running with the local system account.
  • Confirm the AV user is member of the local admin group on each AV server.
  • Confirm that the Anti-virus and CEE have been un-installed and re-installed (using the correct order, CEE first, then Anti-virus).
  • Rebooted the CAVA server multiple times.
  • Confirm that the CAVA servers have one network interface only.

if your unable to resolve this AV_NOT_FOUND, next step is to Please contact Dell EMC Technical Support or your Authorized Service Representative, and quote this Knowledgebase article ID.

Related: