Finding IP of Last Windows User Login To Domain

I need to write a PHP page to parse Squid's access.log file so that
managers here can see where their employees are web browsing. Not a big
deal except that my manager wants me to prompt people for usernames and
then behind the scenes it needs to convert the username to IP address
and grep against the access.log file.

The only way I think that might be possible from a Linux PHP script is
if somehow I could interrogate the Active Directory to see if it
recorded the IP address for where that user last logged in. If this was
not possible from Linux, then perhaps I could write a VB Script to
interrogate this on Windows and leave the output in a file that Linux
could pick up and parse.

Google Mike <(E-Mail Removed)> wrote:
> I need to write a PHP page to parse Squid's access.log file so that
> managers here can see where their employees are web browsing. Not a big
> deal except that my manager wants me to prompt people for usernames and
> then behind the scenes it needs to convert the username to IP address
> and grep against the access.log file.

If you're using DHCP you'll need to do all of the mapping of username to
IP address (or is it v.v.?) in near-real-time, pretty much as the squid
access log is generated.

The person using 10.1.20.1 today may not be the same person (or machine)
using 10.1.20.1 tomorrow. If you wait a week until you parse the logs,
all bets are off as to who really was browsing from any particular IP
address.

If you're talking about tracking Windows clients then take a look at
samba's nmblookup ("nmblookup -A 10.1.20.1", for example), which given
an IP address can often derive the Windows username that's currently
logged on to the box - or at least the machine's name if no-one is
apparently logged on.

Chris

On Tue, 01 Mar 2005 11:08:59 -0800, Google Mike wrote:

> I need to write a PHP page to parse Squid's access.log file so that
> managers here can see where their employees are web browsing. Not a big
> deal except that my manager wants me to prompt people for usernames and
> then behind the scenes it needs to convert the username to IP address
> and grep against the access.log file.
>
> The only way I think that might be possible from a Linux PHP script is
> if somehow I could interrogate the Active Directory to see if it
> recorded the IP address for where that user last logged in. If this was
> not possible from Linux, then perhaps I could write a VB Script to
> interrogate this on Windows and leave the output in a file that Linux
> could pick up and parse.

I find this absurd, but....

You can set up samba to run an arbitrary program on user login. I haven't
done this in about 5 years, but I'm sure it's still there.

Then you can use that program to log the user name, IP, etc. You can even
write a firewall script to block web access unless someone is logged in to
your samba server.

If you have access to your DNS server, and if you use bind, you might have
more luck parsing DNS lookups rather than squid access.log.

Personally, I'd just write something that randomly generates web site
names and IP addresses, and see how long it takes PHB to catch on... I'd
have the resume ready, though, just in case he doesn't see the humor in
it....

--
use munged address above to email me
SpamTrap (E-Mail Removed)

Thanks, and the nmblookup -A <ip addr> was a big boost for me because
it offers some opportunities for the future. I did notice that use of
it returned some 50/50 results on a username -- perhaps that's just a
WINS misconfiguration on our end, however.

Actually, what we ultimately decided on was something like this:

1. All our computers will get renamed so that the cubicle number (a
unique number in our building) will be in the computer name in a
consistent way, like ROOKZ55C420 with 420 being the cubicle number and
Z55 being a zone number out of about 11 zones.

2. Then, I will have the PHP page shell out to Linux bash and run a
script called "cube2ip" which does something like:

#!/bin/bash
CUBE=$1
host ROOKZ1C$CUBE | grep -iv "found" | cut -f 4 -d " "
host ROOKZ2C$CUBE | grep -iv "found" | cut -f 4 -d " "
....
host ROOKZ11C$CUBE | grep -iv "found" | cut -f 4 -d " "

This will spit out the IP address for the cubicle. I can then use that
against /var/log/squid/access.log to identify the websites where this
user has been going to and return that back to the manager in a web
page.

There is some risk here, however:

* If the cubicle is used by multiple users like in shift work, then
you'll need to identify the time of day and the matching shift in order
to come close to identifying the potential user.

* If the user doesn't have their system set on 20 seconds, screen saver
kicks, password-protected mode, then someone else has a potential to
slip in and browse on their PC, getting the wrong user in trouble. So
this is going to also be a mandatory step we take in migrating to this
strategy.

* Managers will want to use this to see a long-running pattern before
acting upon it. Just a few incidents might not be the user's fault.
Additionally, one has to take into account the fact that spyware and
viruses can send false results through the proxy too, making the
employee look really bad in the manager's eyes. Essentially what this
does is let the manager know that they *might* need to be more vigilant
with an employee, trying to catch the employee in the act with surprise
cubicle visits when the activity is usually highest. Then, it might be
time for a good verbal warning, then written warning, then *kapow* --
the user is let go.

On 2005-03-01 15:58:55 -0500, chris-(E-Mail Removed) said:

> If you're talking about tracking Windows clients then take a look at
> samba's nmblookup ("nmblookup -A 10.1.20.1", for example), which given
> an IP address can often derive the Windows username that's currently
> logged on to the box - or at least the machine's name if no-one is
> apparently logged on.

Just a quick FYI--I'm not familiar with nmblookup, but I am familiar
with nbtstat (the Windows equivalent), and this only works if NetBIOS
is enabled (it is by default on most versions of Windows). The
username is only available in the results returned if the Messenger
service (not the same as MSN Messenger!) is running (running by default
in Windows 2000, off by default in Windows XP and Windows Server 2003)
and someone is actually logged in. (You can force the status of this
service using Active Directory--but that's a topic for a different
newsgroup.)

HTH.

--
Scott Lowe