Finding Logged In Users by IP using Samba/AD

  2006-11-17


I’ve created a neat little syslog-ng to MySQL bridge for Tremont School’s Sonicwall firewall. I wrote it in C# with some help from the Mono User’s mailing list. Now I can create realtime reports and pretty graphs on handy data like who’s using Limewire or what sites blocked by the Sonicwall CFS are being hit.

The big missing feature is finding out who’s logged into the machine at the local IP address recorded in the log. I’m not even sure this is possible on an Active Directory network as authentication uses Kerberos. I’m betting Microsoft exposes some sort of DCE/MSRPC feature for discovering logged in users similar to the Open Sessions information produced by the Computer Manager or net command.

So far the best I can do is the Samba nmblookup -A 192.168.0.1 command which seems to return the currently logged in user as the last row:

COMPUTER       <00> -         M
DOMAIN         <00> -  M
COMPUTER       <03> -         M
COMPUTER       <20> -         M
DOMAIN         <1e> -  M
USERNAME       <03> -         M

where COMPUTER = NetBIOS computer name, DOMAIN = AD Domain Name, and USERNAME = currently logged in user (I think). However, using NetBIOS on an Active Directory network seems wrong, and I’m having trouble confirming the behavior of nmblookup.

My post to Samba’s mailing list has gone pretty much unanswered which is always frustrating. Any ideas are welcome!