1835061 Members
3852 Online
110073 Solutions
New Discussion

> /etc/utmp

 
mlewis
Frequent Advisor

> /etc/utmp

We have recently experienced problems , when resolving hostnames across servers. Basically when you rlogin to a machine from a specific host and issue a who -u, the correct name or ip adrdess is not displayed. I have been advised to issue the above as the login file may be corrupt! Has anyone seen this before? and acttually issued this on a server where ther is a lot of apps running. I am concerned of how the server may behave!
5 REPLIES 5
Pete Randall
Outstanding Contributor

Re: > /etc/utmp

Nulling out utmp is perfectly safe, but, before doing that, you should probably take a look at wtmpfix: man wtmpfix for details.


Pete

Pete
Yogeeraj_1
Honored Contributor

Re: > /etc/utmp

hi,

It is a sign of corruption.

See man wtmpfix
for more information on how to fix this.

kind regards
yogeeraj
No person was ever honoured for what he received. Honour has been the reward for what he gave (clavin coolidge)
Peter Godron
Honored Contributor

Re: > /etc/utmp

Hi,
from man utmp:
"File utmp contains a record of all users logged onto the system"

However, if this file gets corrupted or overwritten, the who command will show incorrect information.

See other threads:
For example:
http://forums1.itrc.hp.com/service/forums/bizsupport/questionanswer.do?threadId=1048235

Also, your profiles shows:
0 points allocated to 36 answers !!

Please read:
http://forums1.itrc.hp.com/service/forums/helptips.do?#28
Bill Hassell
Honored Contributor

Re: > /etc/utmp

utmp is a documentation file, keeping track of active logins and other system changes. Since it can be changed by applications, it can become corrupted. Generally, the corruption only shows as discrepancies caused in no small part by crashed sessions (PCs that crash or users that don't follow the rules about proper logout). who (and finger) looks at utmp but has to assemble login/logout pairs using the tty name as a link. When the system runs for months without a reboot, these pairs can be difficult to accurately connect together, thus the apparent discrepancies.

Zeroing out the utmp file solves the problem -- who no longer reports any history at all. All new logins will be accurate. The apps are probably just fine -- there is likely no reason that these apps should be looking at who history. Now startup scripts or apps that require some sort of survey of active users may get confused, but utmp corruption is so common, these apps will have problems on all platforms.

Some sysadmins will manually cleanup utmp by using the very cryptic fwtmp command. They will use it to format the binary utmp data, edit the result get rid of the old outdated entries and then fwtmp the result back into utmp. This is usually be done during somewhat idle periods.

So your system should be fine and new logins will have accurate login/logout pairs with accurate IP / hostname information. And note that a reboot will automatically clear the utmp file.


Bill Hassell, sysadmin
mlewis
Frequent Advisor

Re: > /etc/utmp

Ok thanks guys! and Peter, your right I have been assigning points to my questions but have not been subbing them.

Many Apologise to all who have been helpful