I found a very odd behavior in our NetBackup environment.
Every now and then the NBConsole.exe tries to establish an smb/cifs connection to two of our AIX Hosts. Here is a snippet from the NTLM log on the master server:
NTLM client blocked audit: Audit outgoing NTLM authentication traffic that would be blocked.
Target server: cifs/<AIX server hostname>
Supplied user: (NULL)
Supplied domain: (NULL)
PID of client process: 4076
Name of client process: C:\Program Files\Veritas\NetBackup\bin\NBConsole.EXE
LUID of client process: 0x73b75
User identity of client process: <my admin account>
Domain name of user identity of client process: <domain name>
Mechanism OID: (NULL)
Audit the NTLM authentication requests from this computer that would be blocked by the target server cifs/<AIX server hostname> if the security policy Network Security: Restrict NTLM: Outgoing NTLM traffic to remote servers is set to Deny all.
What is that?
On top of that the samba server on the AIX host tries to authenticate the request with the domain controlelrs, and gets a NT_STATUS_LOGON_FAILURE.
So if this happens more than 5 times in 5 minutes my admin accounts gets locked out from the domain, that happesn every couple of month and it took us weeks to break down this behavior to the netbackup master server.
The AIX server is a media server with a couple aof LTO5 adrives connected and hosts a couple of SAP/DB2 systems, all backups are running fine for the host.