[Samba] IP-to-Username lookups

Michael Schurter michael at susens-schurter.com
Wed Nov 15 18:59:03 GMT 2006

On Tue, 2006-11-14 at 14:41 -0600, Michael Schurter wrote:
> Hi,
> I'm trying to figure out how to find users by IP.  I'm parsing a
> firewall log and would like to map internal IPs to users.
> I noticed "nmblookup -A <ip>" returns interesting results:
> 	COMPUTER       <00> -         M <ACTIVE>
>         DOMAIN         <00> - <GROUP> M <ACTIVE>
>         COMPUTER       <03> -         M <ACTIVE>
>         COMPUTER       <20> -         M <ACTIVE>
>         DOMAIN         <1e> - <GROUP> M <ACTIVE>
>         USERNAME       <03> -         M <ACTIVE>
> where COMPUTER = NetBIOS computer name, DOMAIN = AD Domain Name, and
> USERNAME = currently logged in user (right?).
> The only problem is, how do I tell which row is the Username?

It seems nmblookup doesn't return the username on non-Windows
workstations.  My Linux workstation authenticates via pam_winbind and
has an active kerberos ticket, yet the following is returned:

        SCHURTER3-LINUX <00> -         H <ACTIVE>
        SCHURTER3-LINUX <03> -         H <ACTIVE>
        SCHURTER3-LINUX <20> -         H <ACTIVE>
        DOMAIN          <1e> - <GROUP> H <ACTIVE>
        DOMAIN          <00> - <GROUP> H <ACTIVE>

To match Windows workstations it should also display:

	MICHAEL         <03> -         H <ACTIVE>

I'm not sure what the H & M characters stand for (H = Hybrid node?), but
I noticed Apple OSX workstations return B instead of H or M.

Still looking for how to do logged-in user lookups based on IP...

Michael Schurter

More information about the samba mailing list