HPE Community
Operating System - HP-UX
1827472 Members
2044 Online
109965 Solutions
New Discussion

Re: Non existence process with wrong idle time shown

 
SOLVED
Go to solution
Rita Li
Frequent Advisor

‎07-31-2007 10:04 PM

‎07-31-2007 10:04 PM

Non existence process with wrong idle time shown

/>w -s|grep xywang
xywang pt311:54 -
/>who -u|grep xywang
xywang pts/tZd Aug 1 09:53 old 7321 10.0.84.252
/>last -R xywang|more
...
xywang pts/tZd 10.0.84.252 Wed Aug 1 09:53 - 10:59 (01:05)
...

In fact this user has already logged out the system but still with the process shown as

xywang pt311:54 -

Also next time whoever login using the terminal
pts/tZd, once logout, this process will then be shown as owned by this user, with the idle time as > 311:54 (seems to me the idle time get accumulated)

Has anyone seen such a scenrio before?
0 Kudos
Reply
7 REPLIES 7
Dennis Handly
Acclaimed Contributor

‎07-31-2007 11:57 PM

‎07-31-2007 11:57 PM

Re: Non existence process with wrong idle time shown

This could be due to wtmp files getting corrupted.

You can search ITRC for other issues with wtmp, over 50:
http://forums1.itrc.hp.com/service/forums/questionanswer.do?threadId=1118377
http://forums1.itrc.hp.com/service/forums/questionanswer.do?threadId=1140449
0 Kudos
Reply
TY 007
Honored Contributor

‎08-08-2007 04:06 PM

‎08-08-2007 04:06 PM

Re: Non existence process with wrong idle time shown

Hi,

Corrupted /var/adm/wtmp file.

To confirm this, perform the following testing:
# cd /var/adm
# cp -p wtmp wtmp.bak
# cat /dev/null > wtmp

Login & Logout some Telnet Sessions & keep monitoring:
# who

Thanks
0 Kudos
Reply
Juan M Leon
Trusted Contributor

‎08-09-2007 04:01 AM

‎08-09-2007 04:01 AM

Re: Non existence process with wrong idle time shown

Rita,

You can always try the following

/usr/sbin/acct/wtmpfix

or use

/usr/sbin/acct/fwtmp -ic wtmp


good luck
0 Kudos
Reply
Rita Li
Frequent Advisor

‎08-22-2007 03:33 PM

‎08-22-2007 03:33 PM

Re: Non existence process with wrong idle time shown

Tried :-

/var/adm>cp -p wtmps wtmps.bak
/var/adm>cp -p wtmp wtmp.bak
/var/adm>/usr/sbin/acct/fwtmp -ic < /dev/null > wtmps
/var/adm>/usr/sbin/acct/fwtmp -ic < /dev/null > wtmp
/var/adm>ls -aslp wtmp*
0 -rw-rw-r-- 1 adm adm 0 Aug 23 11:23 wtmp
320 -rw-rw-r-- 1 adm adm 158820 Aug 14 16:17 wtmp.bak
32 -rw-rw-r-- 1 adm adm 10432 Aug 23 11:34 wtmps
633936 -rw-rw-r-- 1 adm adm 324566252 Aug 23 11:27 wtmps.bak

However the problem is still not fixed

ie.
/var/adm>w -s|grep ddgong
root pt grep ddgong
ddgong pt231:33 -
0 Kudos
Reply
Dennis Handly
Acclaimed Contributor

‎08-22-2007 07:37 PM

‎08-22-2007 07:37 PM

Re: Non existence process with wrong idle time shown

>However the problem is still not fixed

Are you on 11.23 or later? If so, you need to stick it to the utmpd(1M) demon. ;-)

SIGTERM Perform graceful shutdown.
This causes the daemon to write its in-memory user accounting database to the /etc/utmps file and exit.
0 Kudos
Reply
Rita Li
Frequent Advisor

‎08-22-2007 07:46 PM

‎08-22-2007 07:46 PM

Re: Non existence process with wrong idle time shown

Dennis, thanks for the response

Our UX version is

HP-UX bdcimfg1 B.11.23 U ia64 0568256958 unlimited-user license

Can you elaborate more on the steps that should be carried in fixing the problem?
0 Kudos
Reply
Dennis Handly
Acclaimed Contributor

‎08-22-2007 08:38 PM

‎08-22-2007 08:38 PM

Solution

Re: Non existence process with wrong idle time shown

>Can you elaborate more on the steps that should be carried in fixing the problem?

First read about utmpd(1M) demon and WARNINGS. There are also comments that say:
There is a time lag which could span from a few seconds on a lightly loaded system to a few minutes on a heavily loaded system.

You have your original backup.

You have already erased the wtmp files.
You can then kill utmpd, the default is SIGTERM.
Make sure you are killing the right process:
# ps -fp $(< /etc/useracct/utmpd_pid )

Then kill it:
# kill $(< /etc/useracct/utmpd_pid )

Then take a look at the wtmp files to confirm they have your bogus user.

Then erase the wtmp files again.
Then restart utmpd:
# /usr/sbin/utmpd
Reply
The opinions expressed above are the personal opinions of the authors, not of Hewlett Packard Enterprise. By using this site, you accept the Terms of Use and Rules of Participation.