Hi,
I'm trying to figure out how to find users by IP. I'm parsing a
firewall log and would like to map internal IPs to users.
I noticed "nmblookup -A <ip>" returns interesting results:
COMPUTER <00> - M <ACTIVE>
DOMAIN <00> - <GROUP> M <ACTIVE>
COMPUTER <03> - M <ACTIVE>
COMPUTER <20> - M <ACTIVE>
DOMAIN <1e> - <GROUP> M <ACTIVE>
USERNAME <03> - M <ACTIVE>
where COMPUTER = NetBIOS computer name, DOMAIN = AD Domain Name, and
USERNAME = currently logged in user (right?).
The only problem is, how do I tell which row is the Username?
Thanks in advance!
Michael Schurter
A suggestion may 'set utmp = yes' into your smb.conf. So, with 'w' command you could see the logged on users and their IPs. On 11/14/06, Michael Schurter <michael@susens-schurter.com> wrote:> Hi, > > I'm trying to figure out how to find users by IP. I'm parsing a > firewall log and would like to map internal IPs to users. > > I noticed "nmblookup -A <ip>" returns interesting results: > > COMPUTER <00> - M <ACTIVE> > DOMAIN <00> - <GROUP> M <ACTIVE> > COMPUTER <03> - M <ACTIVE> > COMPUTER <20> - M <ACTIVE> > DOMAIN <1e> - <GROUP> M <ACTIVE> > USERNAME <03> - M <ACTIVE> > > where COMPUTER = NetBIOS computer name, DOMAIN = AD Domain Name, and > USERNAME = currently logged in user (right?). > > The only problem is, how do I tell which row is the Username? > > Thanks in advance! > > Michael Schurter > > -- > To unsubscribe from this list go to the following URL and read the > instructions: https://lists.samba.org/mailman/listinfo/samba >-- *** Cleber P. de Souza
On Tue, 2006-11-14 at 14:41 -0600, Michael Schurter wrote:> Hi, > > I'm trying to figure out how to find users by IP. I'm parsing a > firewall log and would like to map internal IPs to users. > > I noticed "nmblookup -A <ip>" returns interesting results: > > COMPUTER <00> - M <ACTIVE> > DOMAIN <00> - <GROUP> M <ACTIVE> > COMPUTER <03> - M <ACTIVE> > COMPUTER <20> - M <ACTIVE> > DOMAIN <1e> - <GROUP> M <ACTIVE> > USERNAME <03> - M <ACTIVE> > > where COMPUTER = NetBIOS computer name, DOMAIN = AD Domain Name, and > USERNAME = currently logged in user (right?). > > The only problem is, how do I tell which row is the Username?It seems nmblookup doesn't return the username on non-Windows workstations. My Linux workstation authenticates via pam_winbind and has an active kerberos ticket, yet the following is returned: SCHURTER3-LINUX <00> - H <ACTIVE> SCHURTER3-LINUX <03> - H <ACTIVE> SCHURTER3-LINUX <20> - H <ACTIVE> DOMAIN <1e> - <GROUP> H <ACTIVE> DOMAIN <00> - <GROUP> H <ACTIVE> To match Windows workstations it should also display: MICHAEL <03> - H <ACTIVE> I'm not sure what the H & M characters stand for (H = Hybrid node?), but I noticed Apple OSX workstations return B instead of H or M. Still looking for how to do logged-in user lookups based on IP... Michael Schurter