Determine logged on user on Windows computer from Linux

linux windows active-directory samba

9,798

Solution 1

I found how to do this using Samba on the Linux computer.

I installed and configured Kerberos and Samba to access the domain. I modified /etc/samba/smb.conf, /etc/krb5.conf, and /etc/hosts. I then used some net commands from a script (net is a command-line interface to Samba):

net rpc registry enumerate 'HKEY_USERS' -S xpcomputer.ad.company.com -U '[email protected]%password'

giving a list of the security identifiers for the users that are currently loaded in the registry:

Keyname   = .DEFAULT
Modtime   = Thu, 02 Dec 2010 14:31:14 EST

Keyname   = S-1-5-19
Modtime   = Thu, 02 Dec 2010 14:31:16 EST

Keyname   = S-1-5-19_Classes
Modtime   = Thu, 02 Dec 2010 14:31:16 EST

Keyname   = S-1-5-20
Modtime   = Thu, 02 Dec 2010 14:31:16 EST

Keyname   = S-1-5-20_Classes
Modtime   = Thu, 02 Dec 2010 14:31:16 EST

Keyname   = S-1-5-21-8915387-325552579-1798637320-4573
Modtime   = Fri, 03 Dec 2010 22:53:39 EST

Keyname   = S-1-5-21-8915387-325552579-1798637320-7772
Modtime   = Wed, 08 Dec 2010 07:51:26 EST

Keyname   = S-1-5-21-8915387-325552579-1798637320-7772_Classes
Modtime   = Wed, 08 Dec 2010 07:51:26 EST

Keyname   = S-1-5-18
Modtime   = Thu, 02 Dec 2010 14:31:14 EST

I then run the net ads sid command to lookup active directory entries based on the user SID. This might only work for domain users; I'm not sure if it works for users logged on using a local account. It seems that if there are multiple SIDs, the only one that works is the one that has a corresponding "_Classes" entry.

net ads sid 'S-1-5-21-8915387-325552579-1798637320-7772' -W COMPANY -U '[email protected]%password'

This gives some errors, but still results in printing the user's entire Active Directory information. It is fairly slow, possibly due to the errors, so I might cache the SID-to-username mapping.

[2010/12/08 10:03:00,  0] libads/kerberos.c:882(create_local_private_krb5_conf_for_domain)
  create_local_private_krb5_conf_for_domain: smb_mkstemp failed, for file /var/run/samba/smb_tmp_krb5.HpBqKJ. Errno Permission denied
[2010/12/08 10:03:02,  0] libads/kerberos.c:882(create_local_private_krb5_conf_for_domain)
  create_local_private_krb5_conf_for_domain: smb_mkstemp failed, for file /var/run/samba/smb_tmp_krb5.BCzT0T. Errno Permission denied
Got 1 replies

objectClass: top
objectClass: person
objectClass: organizationalPerson
objectClass: user
cn: [Lastname], [Firstname]
sn: [Lastname]
c: US
physicalDeliveryOfficeName: ...
telephoneNumber: ...
...(many more  fields)...
mailNickname: FLastname
...

The mailNickname field contains the user name (at least for the users I have tested so far).

Solution 2

I found this question while looking for a solution to the exact same problem. Staring with Justin's answer above I finally came up with this bit of Perl. $Comp is the name of the computer we wish to interrogate.

$Res = `/usr/bin/net rpc registry enumerate 'HKEY_USERS' -S $Comp -U 'user\@domain\%password' | /bin/grep _Classes`;
 # For this application we're only interested in one entry and don't care if there are more
$Res =~ /= (.+)_Classes/;
$Sid = $1;
$Res = `/usr/bin/net ads sid -W domain -I IP_address_of_DC -U 'user\@domain\%password' "$Sid"`;
$Res =~ /sAMAccountName: (.*)/;
$User = $1; # The user logon ID
$Res = `/usr/bin/net ads search "(sAMAccountName=$User)" -U 'user\@domain\%password'`;
$Res =~ /displayName: (.*)/;
# The user's display name, which is what we're after
$Name = $1;

If speed is an issue, as it was for Justin, check to ensure the realm and workgroup settings are correct in smb.conf.

9,798

Justin

Updated on September 17, 2022

Comments

Justin over 1 year
How can I determine who is logged on to a remote Windows XP computer from Linux? I do not have administrator access on the domain or on the remote computer.

I can do it from a separate Windows computer using PsLoggedOn -L \\computer from PsTools

I've tried using nmblookup -A remotecomputer, but I only see entries for the computer and the domain, not a <03> entry for the user.

I've also tried running PsLoggedOn under wine; I get an error:
```
Connecting to Registry of \\computer.company.com...
fixme:reg:RegConnectRegistryW Connect to L"computer.company.com" is not supported.
```
I started looking into winexe, but it looks like I would need administrative rights on the remote computer to get it working.
- Dolanor over 11 years
  
  With your current answer, How can you determine which of the HKEY_USERS of the computer are currently logged on ? I tried on my network with an AD, but the net rpc registry command doesn't give me a correct output : Keyname = d__(+ Classname = Modtime = Thu, 12 Oct 4461634 12:03:12 CET This is all the output I have.
- Justin over 11 years
  
  I don't know enough about the net rpc registry command to speculate why it would give such garbage output... I recommend you start a new question about it.
- Dolanor over 11 years
  
  I've found the problem. Red Hat linux, with an old hidden in the forest samba net tool which doesn't work with our AD/network/windows. I tested on a VirtualBox with ubuntu 12.04, and the net rpc registry works just fine. Thank you !
Justin over 13 years

Unfortunately, I'm not able to install software on the remote computer. It is very tightly controlled since it is used to interface with some specialized equipment.