1831349 Members
2976 Online
110024 Solutions
New Discussion

Re: Last Command

 
joe_91
Super Advisor

Last Command

Hi:

I have a problem with the "last" command. The command reports for some users and for some other users it just says "wtmp begins Mon Nov 5 20:07". Some of these users are connecting via PC thru xemulator. will that be an issue.

Thanks
Joe.
21 REPLIES 21
James R. Ferguson
Acclaimed Contributor

Re: Last Command

Hi Joe:

'last' is announcing the date at which the file 'var/adm/wtmp' was last initialized (created, or emptied).

If you do 'last auser' and there is no match found for "auser", then 'last' behaves as you noted. Either "auser" isn't valid (no check is made), or "auser" *is* a valid account but one that just hasn't logged on since the initialization of the file.

Regards!

...JRF...
MANOJ SRIVASTAVA
Honored Contributor

Re: Last Command

Hi Joe

I dont think is differntiates between these users , it will log in any user logging into the system whether from PC etc , may be you will like to read this in case you find that ther is some problem.

You can use the fwtmp command to manipulate the wtmp file.
For example, initially convert the wtmp file to an ASCII file:
cat /var/adm/wtmp | /usr/sbin/acct/fwtmp > /tmp/wtmp.ascii
Edit the /tmp/wtmp.ascii entry using your favourite editor.
Convert the ASCII file back to binary:
cat /tmp/wtmp.ascii | /usr/sbin/acct/fwtmp > /var/adm/wtmp"


Manoj Srivastava

Mark Greene_1
Honored Contributor

Re: Last Command

check the permissions on /var/adm/btmp, it should be owned be root and other and read and writeable only by the owner (600).

We are currently setting-up an L2000, and as part of the conversion process have created a limited /etc/passwd file to keep people out of the system while we copy files over the network. The new /etc/passwd file was created only with 660 permissions, and consequently "whoami" when run as other than root now returns the message "Intruder alert.", so check your permissions on /etc/passwd as well.

Also, keep in mind that users running applications that only create socket connections will not show in the "last" display, as they really don't log in.

HTH
mark
the future will be a lot like now, only later
joe_91
Super Advisor

Re: Last Command

Hi James:

what i find here is i am able to use last command for all users who have come thru a shell. for users who come from the pc(not thru telnet but xemulator) the last command reports as though that user was never there. the login process is taken care by the xemulator and there is no shell for the users(coming from pc) as they are directly put inside the xmotif application. Any thoughts??

Thanks
Joe.
Cheryl Griffin
Honored Contributor

Re: Last Command

Also note, that some emulator products are not designed to write an entry to wtmp. This is something that is done at a code level and controlled by the emulator, not controlled by last.

Cheers!
Cheryl
"Downtime is a Crime."
Pete Randall
Outstanding Contributor

Re: Last Command

Joe,

What emulator? We use WRQ Reflections and last works fine for me.

Pete

Pete
Steve Steel
Honored Contributor

Re: Last Command

Hi

if you use

users

or

w

Do you see these users

last -R|grep still can also be interesting.

Maybe someone cleaned out the users withh accounting.

Ask one to log out and back in.Then check for user.


steve Steel
If you want truly to understand something, try to change it. (Kurt Lewin)
Pete Randall
Outstanding Contributor

Re: Last Command

Joe,

I think JRF hit the nail on the head. Either the user is non-existant or has not logged in.

For what it's worth,
Pete

Pete
joe_91
Super Advisor

Re: Last Command

Hi:

if i do last username it shows
wtmp begins Mon Nov 5 20:07

and if i do w|grep username

then i get
username pcremote 12:00pm

i think my xemulator(citrix) does not log onto wtmp but since the w works fine may be updates the utmp. Is my assumption correct?

Thanks
Joe
Helen French
Honored Contributor

Re: Last Command

Some thoughts:

1) The 'w' command is actually using the command 'uptime' for getting it's results.

2) Check whether 'who' command report the correct data, while this takes output from wtmp file.

3) I believe that your xemulator software is not putting the entries in wtmp.

4) Make use of fwtmp command too.
Life is a promise, fulfill it!
joe_91
Super Advisor

Re: Last Command

Hi:

If i do a who|grep username i am able to find 2 entries fro that particular user.

who|grep chris

chris pcremote May 28 12:00
chris pcremote May 29 10:17

and if i do ps -ef |grep chris gives me 21 processes for both May 28 and 29.
but if i do a w|grep chris
chris pcremote 12:00pm 2 -
chris pcremote 10:17am 2 -

can anyone tell what is going on?

Thanks
Joe.
Helen French
Honored Contributor

Re: Last Command

Just another thought:

Update your patch level with the latest patches. That may solve your issues. If you are using version 10.20, then install this patch:

PHCO_8915 - s700_800 10.01-[12]0 last(1) cumulative patch
Life is a promise, fulfill it!
joe_91
Super Advisor

Re: Last Command

Hi

We are using 11.0 and the march 2002 patch bundle has been installed.

Thanks
Joe
Paula J Frazer-Campbell
Honored Contributor

Re: Last Command

Joe

Jame's answer is 100 % correct in that the file start time is based upon your last reboot (Starts at) and the wtmp begins is telling you that the user has not logged in since the start of the wtmp.


Paula
If you can spell SysAdmin then you is one - anon
joe_91
Super Advisor

Re: Last Command

Hi:

This user has logged in on 28th and 29th and he still has that processes left hanging in there.

Thanks
Joe.
John Palmer
Honored Contributor

Re: Last Command

Hi Joe,

The answer to your original question is yes, there is an issue with last and X session users.

X sessions don't get logged in wtmp in the same way as normal character logins (see comment from Cheryl above).

Have a look at the man pages for last, login and wtmp.

Regards,
John
James R. Ferguson
Acclaimed Contributor

Re: Last Command

Hi Joe:

Here's some more information that may help you. Cheryl's comments are the seed.

If you make connection with another server using 'remsh', no update of /var/adm/wtmp occurs. This is because 'remsh' isn't considered a "login".

However, it turns out that if no command is specified with 'remsh', then 'remsh' treats this as an 'rlogin' and an entry *is* made in /var/adm/wtmp. TO see this behavior, compare:

# remsh somehost -n hostname

...versue:

# remsh somehost #...this becomes a 'rlogin'

In the first case, no entry is recorded in /var/adm/wtmp (for 'last'). In the second, there is a record.

BTW, use 'last -R ' to return the hostname information for tracking in these situations.

Regards!

...JRF...
joe_91
Super Advisor

Re: Last Command

Hi:

Thanks. But as i said earlier last -R is not working and behaving as though the user never existed. So i guess i have to go the xemulator's code. Now is there some serious problem if wtmp is not updated in a login?

Thanks
Joe.
James R. Ferguson
Acclaimed Contributor

Re: Last Command

Hi Joe:

In answer to your last question, the accounting of login information in '/var/adm/wtmp' (and bad logins in '/var/adm/btmp') is purely discretionary. If you don't care about capturing the information, remove the file(s). This turns off logging in the first place. To re-enable it, create an empty file with 'touch' or 'cat /dev/nul > ...'.

My suggestion to use the '-R' option of 'last' was to be more demonstrative if you perform the 'remsh' exercise I suggested.

Regards!

...JRF...
Wodisch
Honored Contributor

Re: Last Command

Hi Joe,

you might want to use the X-Windows resource "*loginShell: true" for all those PC-based X-sessions, as then every terminal window will create an entry in "wtmp"...

To do this simply add the following line to the file ".Xdefaults" in the user's HOME-directory:

*loginShell: true

Be careful about the speeling - upper and lower case are important!

HTH,
Wodisch
joe_91
Super Advisor

Re: Last Command

Hi:

I tried in .Xdefaults *loginShell:true and it is not updating wtmp still. Any thoughts..

Joe.