Tracing which user logs onto which PC

kenji1903 · 07-19-2004, 08:23 PM

G'day~

I am just wondering whether is it possible to trace which user logs onto which PC on a network. Any log files that I should be looking at?
I only know that Samba's log files are stored in /var/log/samba and I have basically looked at most of them but they do not seem to contain the info i am looking for...

My system is a RH9 running Samba acting as the PDC with Windows XP boxes as clients.

I am trying to hook up Nagios though... this program really needs some serious configuration in order to work!

Alrighty, thanks in advance~

~WiLL~

AltF4 · 07-19-2004, 09:16 PM

1) check /var/log/messages for logins
2) use the "last" command (man last)
3) install the accounting package (man accton)

jpat1023 · 07-19-2004, 10:49 PM

I agree Nagios does take some serious configuration to get going, but if you just do a little reading on the instructions its not that bad. And once you get it going it's great.

kenji1903 · 07-20-2004, 02:12 AM

Thanks for the prompt reply~

Here is my results, maybe you can give me more advice:
1) last few lines of my /var/log/messages

Code:

Jul 20 15:05:22 redhat32 smbd[4888]: [2004/07/20 15:05:22, 0] rpc_server/srv_pipe.c:api_pipe_netsec_process(1397) 
Jul 20 15:05:22 redhat32 smbd[4888]:   failed to decode PDU 
Jul 20 15:05:22 redhat32 smbd[4888]: [2004/07/20 15:05:22, 0] rpc_server/srv_pipe_hnd.c:process_request_pdu(605) 
Jul 20 15:05:22 redhat32 smbd[4888]:   process_request_pdu: failed to do schannel processing. 
Jul 20 15:05:23 redhat32 smbd[4888]: [2004/07/20 15:05:23, 0] smbd/service.c:set_current_service(56) 
Jul 20 15:05:23 redhat32 smbd[4888]:   chdir (/home/samba/netlogon) failed 
Jul 20 15:05:24 redhat32 smbd[4888]: [2004/07/20 15:05:24, 0] smbd/service.c:set_current_service(56) 
Jul 20 15:05:24 redhat32 smbd[4888]:   chdir (/home/samba/netlogon) failed 
Jul 20 15:05:33 redhat32 smbd[4888]: [2004/07/20 15:05:33, 0] rpc_server/srv_util.c:get_domain_user_groups(376) 
Jul 20 15:05:33 redhat32 smbd[4888]:   get_domain_user_groups: primary gid of user [redhat32admin] is not a Domain group ! 
Jul 20 15:05:33 redhat32 smbd[4888]:   get_domain_user_groups: You should fix it, NT doesn't like that

OK, whats PDU? My netlogon is set to 0770...
Whats with the last 2 lines? Sounds funny

2) last seems to only show users that log into the server not the XP machines...

3) I do not have an accton, what is it anyway?

CheerS~

kenji1903 · 07-20-2004, 02:14 AM

Thanks, jpat1023

kenji1903 · 07-20-2004, 09:16 PM

*bump*

kenji1903 · 07-21-2004, 10:58 PM

can anybody lend a hand with my problem here?

Thanks in advance~

kenji1903 · 08-03-2004, 10:01 AM

I thought of a way, just want some advice on this~

smbstatus is very useful in this sense since it outputs the username, group and machine logged onto the server...
i was thinking of using cron to periodically porting the output of smbstatus to a file.
Can anyone give me a hint on how this could be done?

I reckon that there is a better way of doing this, any suggestions welcome

BrianWGray · 08-03-2004, 10:43 AM

I think that this will be very helpful to you.

http://www.linuxjournal.com/article.php?sid=7251

kenji1903 · 08-03-2004, 11:00 AM

The site looks promising... Thanks~

kenji1903 · 08-05-2004, 10:28 PM

Tried the code that was on the site, modified the srv_netlog_nt.c in Samba, got errors when i execute the make command... I am bad programmer

Did you manage to get it to work, BrianWGray?

BrianWGray · 08-06-2004, 10:03 AM

I have to be honest, I use a windows advanced server as my domain controller. I have no need for the logs on the samba boxes because they authenticate to the domain controller every time they need to allow access.

I'm working on phasing out the windows servers so when I get to that stage I'll be sure to update my post. That won't be for a few months though.

kenji1903 · 08-06-2004, 10:59 PM

I see... does windows advanced server have an option to enable a log file of users logging on/off the server?

No worries mate, I will be waiting for your updates!

Thanks for the hints~

ter_roshak · 09-13-2004, 10:04 AM

I have implemented a couple of basic scripts that will log who is logged on to which machines throughout the day. The problem with what I have done is that Samba does not seem to recognize that the users have logged off very well... This problem is most evident when my log files show that people have logged on through the weekend when nobody was here.

This script runs every minute via cron and logs who is currently logged into the domain controller:

Code:

#!/bin/bash
#
# This shell script will list all of the Samba users currently on-line
# who have signed into this Domain Controller.
#
# This script will compile a list of users who have been logged on to
# specific machines throughout the day.
#
# Author:  Joshua Miller
# Date:    8/06/2004

CURDATE=`date +%m%d%Y-%H%M%S`
SUBNET='XXX.XXX'
SAVEFILE='/var/log/samba/smbusers.txt'

echo ""
echo "Username        Machine"
echo "-------------------------------"
smbstatus | grep $SUBNET | awk '{printf "%s    \t%s\n", $2, $4}' | sort -u | tee -a $SAVEFILE

echo "-------------------------------"
echo "Number of Users On-Line: "
smbstatus | grep $SUBNET | awk '{print $2}' | sort -u | wc -l
echo ""

# Do not store duplicate name/machine pairs in the file - save space
cat $SAVEFILE | sort -u > $SAVEFILE

Then, I have a script that runs daily to create a log of the users who have logged into each machine for that day. With the date setup that I have used, it is actually data for the previous day.

Code:

#!/bin/bash

CURDATE=`date +%m%d%Y`
SAVEFILE='/var/log/samba/smbusers.txt'
TEMPFILE='/var/log/samba/tmpusers.txt'

sort -u $SAVEFILE > $TEMPFILE

cp $TEMPFILE /var/log/samba/umlogs/$CURDATE-smbusers.txt

I am trying to figure out how to get Samba to logoff users more accurately, but until then, this is the best that I have. I hope that this helps.

Josh