Having an issue with some process / person trying to log onto our CIFS share

using DSTRACE give me
6: Create NMAS Session
6: CheckIfLocalUser: client supplied user DN user.ou=xxxx.o=bbbb
ERROR: -601 resolveFilteredReplica: Resolving .user.ou=xxxx.o=bbbbb
ERROR: -601 dal_createUserContext: resolveFilteredReplica for user.ou=xxx.o=bbbb
ERROR: -16049 DALCreateLoginSession:createUserContext
6: ERROR: -16049 CheckIfLocalUser: DALCreateLoginSession
6: CheckIfLocalUser failed -16049
6: Client Session Destroy Request
6: Destroy NMAS Session
6: Aborted Session Destroyed (with MAF)

But doesn't tell me the source machine / process

We tried creating a user of this name to see if the intruder lockout screen would record the ip address but it does not

I've run out of ideas. Any help would be appreciated