>Ideally you would also find an entry using last(1) that would be a little more accurate. If you don't find any entries, that may explain things?
First off, that may not be true either. What if I DID find entries in wtmp? What then? The info in the TCB is still wrong and the accounts are still getting locked because the corresponding entry in the TCB is outdated. And yes, wtmp is getting updated as users log in each day. On the other hand, if I don't find entries in wtmp, the info in the TCB is still wrong. As I've said, I've verified that users have logged in and their account still gets locked. What more do you want me to do?
Here's the thing. We have to clear wtmp every day for security purposes. That's why I was using lastb as a reference. And again, I've verified (physically, not via the system) that users WERE logged in in the last few days.
As I said, this has also happened to _MY_ normal user account and four days later it was locked. I checked the entry in the TCB for _MY_ account and it showed that my last successful login was over 30 days old, yet I just logged in to that very account just days prior. So it's not a case of the "users" not telling me accurate information (which I think is what was being implied and I agree that can happen, but that is clearly not the case here). As I've said several times, I've verified the accuracy (or lack thereof) of the information in the TCB. IT'S WRONG. As I have asked several times, why?
Yesterday I also verified that the entries (u_max_llogin for example) in /tcb/files/auth/system/default were also set correctly. They are. Yet the accounts are still getting locked after a few days (it appears to be 4). And it's because their u_suclog date is over 30 days old, yet they were logged in within just the last couple of days. So it seems very clear that this entry is getting updated with bad information. My question is, why? What would cause this?
This is on 11.11, BTW.
If you do nothing else in with your life, make friends with a dog.
