I have a strange problem that may be urgent, so I hope someone can help.
I upgraded our OES Netware SP1 box to SP2 last week. Twice this week, my
user account with some netware admin priveleges was locked out at odd
times (after the first time, I immediately demoted my account to regular
user). I was already logged in with no problem and had locked the XP
workstation to step out for few minutes. When I came back and tried to
unlock the ws, I got the message that my account had been locked due to
password guessing. I had not entered the password incorrectly at all on
the days the lockouts occurred. The failed logins log in remote manager
show the server IP address, so the attempts were made on one of the web
services like Netstorage, imanager or remote manager. The apache logs
don't show much. One entry in the error log looks like this:

[Sat May 20 18:38:26 2006] [error] [client 66.57.x.x] (1)No such file or
directory: XTIER: client used wrong authentication scheme `(null)':

I blanked out the last 2 octets of the client IP above, but it's a road
runner IP. I have confirmed some of the addresses as being legitimate
home users. Before I start hunting down some of the others, I have some

1. Is this related to the SP upgrade? In other words, is there some new
legitimate process that might be running and trying to use my login? I
didn't see anything related in the list of known issues.

2. The remote manager log and only shows a few failed logins at a time,
enough to lock out the account but not enough to look like a robot or
something like that trying to hack in. The Apache log also does not show
many attempts. Does that mean I can rule out a large scale attempt in
this case, or might it be that Remote manager or Apache are not logging
all the attempts because of some configuration on my part?

3. Is there any way outside of these logs to determine where the
attempts are originating from?

Any help I can get with this issue is appreciated. I'll start an
incident with Novell if I have to, but I want to find out if I can avoid
having to do that. Thanks.