Linux – Determine logged on user on Windows computer from Linux

active-directorylinuxsambawindows

How can I determine who is logged on to a remote Windows XP computer from Linux? I do not have administrator access on the domain or on the remote computer.

I can do it from a separate Windows computer using PsLoggedOn -L \\computer from PsTools

I've tried using nmblookup -A remotecomputer, but I only see entries for the
computer and the domain, not a <03> entry for the user.

I've also tried running PsLoggedOn under wine; I get an error:

Connecting to Registry of \\computer.company.com...
fixme:reg:RegConnectRegistryW Connect to L"computer.company.com" is not supported.

I started looking into winexe, but it looks like I would need administrative rights on the remote computer to get it working.

Best Answer

I found how to do this using Samba on the Linux computer.

I installed and configured Kerberos and Samba to access the domain. I modified /etc/samba/smb.conf, /etc/krb5.conf, and /etc/hosts. I then used some net commands from a script (net is a command-line interface to Samba):

net rpc registry enumerate 'HKEY_USERS' -S xpcomputer.ad.company.com -U 'username@AD.COMPANY.COM%password'

giving a list of the security identifiers for the users that are currently loaded in the registry:

Keyname   = .DEFAULT
Modtime   = Thu, 02 Dec 2010 14:31:14 EST

Keyname   = S-1-5-19
Modtime   = Thu, 02 Dec 2010 14:31:16 EST

Keyname   = S-1-5-19_Classes
Modtime   = Thu, 02 Dec 2010 14:31:16 EST

Keyname   = S-1-5-20
Modtime   = Thu, 02 Dec 2010 14:31:16 EST

Keyname   = S-1-5-20_Classes
Modtime   = Thu, 02 Dec 2010 14:31:16 EST

Keyname   = S-1-5-21-8915387-325552579-1798637320-4573
Modtime   = Fri, 03 Dec 2010 22:53:39 EST

Keyname   = S-1-5-21-8915387-325552579-1798637320-7772
Modtime   = Wed, 08 Dec 2010 07:51:26 EST

Keyname   = S-1-5-21-8915387-325552579-1798637320-7772_Classes
Modtime   = Wed, 08 Dec 2010 07:51:26 EST

Keyname   = S-1-5-18
Modtime   = Thu, 02 Dec 2010 14:31:14 EST

I then run the net ads sid command to lookup active directory entries based on the user SID. This might only work for domain users; I'm not sure if it works for users logged on using a local account. It seems that if there are multiple SIDs, the only one that works is the one that has a corresponding "_Classes" entry.

net ads sid 'S-1-5-21-8915387-325552579-1798637320-7772' -W COMPANY -U 'username@AD.COMPANY.COM%password'

This gives some errors, but still results in printing the user's entire Active Directory information. It is fairly slow, possibly due to the errors, so I might cache the SID-to-username mapping.

[2010/12/08 10:03:00,  0] libads/kerberos.c:882(create_local_private_krb5_conf_for_domain)
  create_local_private_krb5_conf_for_domain: smb_mkstemp failed, for file /var/run/samba/smb_tmp_krb5.HpBqKJ. Errno Permission denied
[2010/12/08 10:03:02,  0] libads/kerberos.c:882(create_local_private_krb5_conf_for_domain)
  create_local_private_krb5_conf_for_domain: smb_mkstemp failed, for file /var/run/samba/smb_tmp_krb5.BCzT0T. Errno Permission denied
Got 1 replies

objectClass: top
objectClass: person
objectClass: organizationalPerson
objectClass: user
cn: [Lastname], [Firstname]
sn: [Lastname]
c: US
physicalDeliveryOfficeName: ...
telephoneNumber: ...
...(many more  fields)...
mailNickname: FLastname
...

The mailNickname field contains the user name (at least for the users I have tested so far).

Best Answer

Related Solutions

Windows – Useful Command-line Commands on Windows

Linux – winexe gives error “ERROR: Failed to install service winexesvc – NT_STATUS_ACCESS_DENIED”

Related Topic