Finding Logged In Users by IP using Samba/AD

Posted on November 17, 2006 by Michael Schurter

I’ve created a neat little syslog-ng to MySQL bridge for Tremont School’s Sonicwall firewall. I wrote it in C# with some help from the Mono User’s mailing list. Now I can create realtime reports and pretty graphs on handy data like who’s using Limewire or what sites blocked by the Sonicwall CFS are being hit.

The big missing feature is finding out who’s logged into the machine at the local IP address recorded in the log. I’m not even sure this is possible on an Active Directory network as authentication uses Kerberos. I’m betting Microsoft exposes some sort of DCE/MSRPC feature for discovering logged in users similar to the Open Sessions information produced by the Computer Manager or net command.

So far the best I can do is the Samba nmblookup -A 192.168.0.1 command which seems to return the currently logged in user as the last row:

COMPUTER       <00> -         M
DOMAIN         <00> -  M
COMPUTER       <03> -         M
COMPUTER       <20> -         M
DOMAIN         <1e> -  M
USERNAME       <03> -         M

where COMPUTER = NetBIOS computer name, DOMAIN = AD Domain Name, and USERNAME = currently logged in user (I think). However, using NetBIOS on an Active Directory network seems wrong, and I’m having trouble confirming the behavior of nmblookup.
My post to Samba’s mailing list has gone pretty much unanswered which is always frustrating. Any ideas are welcome!

This entry was posted in GNU/Linux, IT, Open Source, Technology. Bookmark the permalink.

2 Responses to Finding Logged In Users by IP using Samba/AD

  1. Christian Wyglendowski says:
    November 21, 2006 at 9:38 pm

    Hhhhmmm…that sounds tricky. I looked at the Samba “net” command, and while you can do a ton of stuff with it, it looks like getting the remote logged in user is not one of them. I know I did this from one Windows machine to another back at GC. It’s pretty easy in that environment, what with WMI and all.

    Since you have 500 Windows systems on your network, why not create a simple web service on one of your Win boxes that lets you query a remote logged in user? You could use XML-RPC or even just good ol’ HTTP. I don’t know how often this service would be getting queried though. If you are hitting it frequently, you could even cache the results for a short time, as long as you are willing to accept a small margin of error.

    This would be a great project to get your feet wet with Python. ;-) It has great Win32 API support, and using WMI is a breeze. For the web part, I would have to recommend CherryPy. :-D

    Ok, enough marketing. Hope you get something figured out.

    Christian

  2. find ip address says:
    September 29, 2008 at 11:54 pm

    yea, thats kinda complicated, isn’t there a simpler way?

Leave a Reply

Your email address will not be published. Required fields are marked *

*

You may use these HTML tags and attributes: <a href="" title=""> <abbr title=""> <acronym title=""> <b> <blockquote cite=""> <cite> <code> <del datetime=""> <em> <i> <q cite=""> <strike> <strong> <pre lang="" line="" escaped="">