HPE Community
Operating System - HP-UX
1832645 Members
2768 Online
110043 Solutions
New Discussion

old logins still show as current

 
SOLVED
Go to solution
Randy_9
Regular Advisor

‎01-08-2002 02:06 PM

‎01-08-2002 02:06 PM

old logins still show as current

Even though I've logged off long ago, when I log into this server (11.00) the "w" command
still shows the old logins?
Thanks,
Randy
0 Kudos
Reply
3 REPLIES 3
Thierry Poels_1
Honored Contributor

‎01-08-2002 02:19 PM

‎01-08-2002 02:19 PM

Re: old logins still show as current

Hi,

"after you logged off"
Did you close your session in a clean way (exit, logoff, ^d on shell prompt) or just aborted the session (e.g. close telnet or Reflection window).
If the session is aborted tracks of your session tend to remain on the system (for a while).

regards,
Thierry.
All unix flavours are exactly the same . . . . . . . . . . for end users anyway.
0 Kudos
Reply
Craig Rants
Honored Contributor

‎01-08-2002 02:27 PM

‎01-08-2002 02:27 PM

Re: old logins still show as current

Use these couple of commands and you'll fix your problem.This occurs when who shows a user as logged on but grep is showing nothing. Make sure to note the tty assigned to the Ghost user, this will help you in step 3.

1. cd /usr/lib/acct
2. ./fwtmp < /etc/utmp > /tmp/utmp
3. edit /tmp/utmp changing 5th column to 8 for ghost user
4. ./fwtmp -ic < /tmp/utmp > /etc/utmp

GL,
C
"In theory, there is no difference between theory and practice. But, in practice, there is. " Jan L.A. van de Snepscheut
Reply
Michael Tully
Honored Contributor

‎01-08-2002 02:33 PM

‎01-08-2002 02:33 PM

Solution

Re: old logins still show as current

Hi,

This is a document that should help with
your problem. Sometimes this occurs when a
user has not logged off correctly or when a
PC that had a connection does not terminate
the session correctly. This will certainly
happen with PC using X emululations.

HTH
-Michael

DocId: KBRC00006252 Updated: 3/23/01 3:48:00 AM

PROBLEM
who shows logins but no PID after a PC that was connected crashed and existed
incorrectly.
RESOLUTION
The utmp file can be manipulated with the fwtmp command.

1.check the last modification time of the /etc/utmp file
ls -l /etc/utmp
-rw-r--r-- 1 root root 1620 Jun 28 09:22 /etc/utmp

2.convert the binary /etc/utmp file to ascii :
/usr/sbin/acct/fwtmp /tmp/utmp.ascii

3.edit the /tmp/utmp.ascii file to remove the old entries
Note : the entries are sorted by date, simply use the login time reported
by
who(1) to find the lines to remove.

4.convert the file back to binary format :
/usr/sbin/acct/fwtmp -ic /tmp/utmp.binary

5.verify that all unwanted entries have been removed from the new file :
who /tmp/utmp.binary

6.verify that the /etc/utmp file has not been modified since the beginning of
this procedure :
ls -l /etc/utmp
-rw-r--r-- 1 root root 1620 Jun 28 09:22 /etc/utmp
If the file has been updated do all the steps again.

7.replace the existing /etc/utmp file with the new one :
mv /tmp/utmp.binary /etc/utmp

8.verify that the file still has the same ownership and permissions :
ls -l /etc/utmp
-rw-r--r-- 1 root root 1600 Jun 28 09:30 /etc/utmp

The who command will now report the correct information.

Anyone for a Mutiny ?
Reply
The opinions expressed above are the personal opinions of the authors, not of Hewlett Packard Enterprise. By using this site, you accept the Terms of Use and Rules of Participation.