Thanks to all of you who spent the time with my message. It seems, that
something in the system got confused. The command I was looking for was
"/usr/sbin/acct/nulladm /var/adm/wtmp" or better the steops below.
I remebered it was related to acct comands. As you find below, you can
forget this command, it's useless. OK, it should restore default owner and
perms on any acct files, so it's better then touch or other methods....
This re-created the wtmp file as follows:
-rw-rw-r-- 1 adm adm 0 Jan 9 01:40 /var/adm/wtmp
However, I did this after all other attempts to find the problem,even now
I still have a copy of that old wtmp file if someone will respond with
something new. Most of you recommended "cp /dev/null /var/adm/wtmp".
I tried 3 approaches - to be found below. The 1st in combination with 3rd
worked and preserved old data before Dec 16.
----------------------
1. I did use fwtmp as shown in manpage:
EXAMPLES
1. To convert binary /var/adm/wtmp records in type utmp structure format
to an ASCII file called dummy.file, enter a command similar to the
following:
/usr/sbin/acct/fwtmp < /var/adm/wtmp > dummy.file
The content of binary file /var/adm/wtmpfile as input is redirected to
dummy.file as ASCII output.
My file had 10% before EOF these lines:
ftp3140 03140 08 0000 0000 91379
5233 Wed Dec 16 09:00:33 1998 MET
blazkova q4 ttyq4 03585 07 0000 0000 91379
5260 lotus.natur.cuni.cz Wed Dec 16 09:01:00 1998 MET
^P ttyq8 -09877 00 0001 0000 9
13795261 Wed Dec 16 09:01:01 1998 MET
^P ttyq4 -09877 00 0001 0000 9
13795268 Wed Dec 16 09:01:08 1998 MET
^A 00000 13943 0000 0000
0 Thu Jan 1 01:00:00 1970 MET
^A 00000 13943 0000 0000
0 Thu Jan 1 01:00:00 1970 MET
26978 13943 27063 60556
779253108 cuni.cz Sun Sep 11 05:11:48 1994 MET DS
T
^A 00000 13943 0000 0000
0 Thu Jan 1 01:00:00 1970 MET
^A 00000 13943 0000 0000
0 Thu Jan 1 01:00:00 1970 MET
^A 00000 13943 0000 0000
0 Thu Jan 1 01:00:00 1970 MET
^A 00000 13943 0000 0000
0 Thu Jan 1 01:00:00 1970 MET
00000 13974 0000 0000
[skip]
0 Thu Jan 1 01:00:00 1970 MET
12650 13974 67056 74145 1
818588206 .cz Wed Aug 18 13:23:26 2027 MET DS
T
The machine is running xntpd-4 to synchronize clocks to the network time.
Date and time commands do show proper time even now! I'm pretty sure
that the local time settings are fine all the time, because we are running
kerberos, which accepts only 5 min difference between machines. Those
"synchronisation lost" are just informational, not harmfull, so I don't
see any problem reported by xntpd!
10 Dec 07:20:47 ntpd[458]: ntpd 4.0.73e12 Sat Oct 24 01:20:35 MET DST 1998 (1)
10 Dec 07:20:47 ntpd[458]: precision = 976 usec
10 Dec 07:20:47 ntpd[458]: using kernel phase-lock loop 0041
10 Dec 07:20:47 ntpd[458]: frequency initialized 4.369 from /etc/ntp.drift
10 Dec 07:20:47 ntpd[458]: using kernel phase-lock loop 0041
10 Dec 07:27:18 ntpd[458]: time reset 0.351861 s
10 Dec 07:27:18 ntpd[458]: synchronisation lost
10 Dec 07:31:39 ntpd[458]: kernel pll status change 41
10 Dec 18:50:31 ntpd[458]: synchronisation lost
11 Dec 00:16:28 ntpd[458]: time reset -0.138240 s
11 Dec 00:16:28 ntpd[458]: synchronisation lost
12 Dec 01:46:44 ntpd[458]: synchronisation lost
16 Dec 11:24:28 ntpd[458]: synchronisation lost
16 Dec 20:33:51 ntpd[458]: synchronisation lost
18 Dec 16:34:09 ntpd[458]: synchronisation lost
19 Dec 11:59:15 ntpd[458]: ntpd exiting on signal 15
19 Dec 13:43:28 ntpd[631]: logging to file /var/log/xntpd.log
19 Dec 13:43:28 ntpd[631]: ntpd 4.0.73e12 Sat Oct 24 01:20:35 MET DST 1998 (1)
19 Dec 13:43:28 ntpd[631]: precision = 976 usec
19 Dec 13:43:28 ntpd[631]: using kernel phase-lock loop 0041
19 Dec 13:43:28 ntpd[631]: frequency initialized -0.637 from /etc/ntp.drift
The idea that even for a brief amount of time the time get mungled
I don't believe is true, even this would explain why system was unable
to write into wtmp with broken structure. However, I didn't see any warnings
from wtmpfix while converting it to plaintext file, so I think the structure
was intact.
-----------------------------
2. Another approach was:
root_at_prfdec# /usr/sbin/acct/wtmpfix /var/adm/wtmp
wtmpfix: logname "getty /dev/lat/620 console vt100" changed to "INVALID"
wtmpfix: logname "getty /dev/lat/621 console vt100" changed to "INVALID"
wtmpfix: logname "uugetty -r -t 60 /dev/tty00 1920" changed to "INVALID"
wtmpfix: logname "getty /dev/lat/620 console vt100" changed to "INVALID"
wtmpfix: logname "getty /dev/lat/621 console vt100" changed to "INVALID"
wtmpfix: logname "uugetty -r -t 60 /dev/tty00 1920" changed to "INVALID"
wtmpfix: logname "getty /dev/lat/620 console vt100" changed to "INVALID"
wtmpfix: logname "getty /dev/lat/621 console vt100" changed to "INVALID"
wtmpfix: logname "uugetty -r -t 60 /dev/tty00 1920" changed to "INVALID"
wtmpfix: logname "uugetty -r -t 60 /dev/tty00 1920" changed to "INVALID"
wtmpfix: logname "getty /dev/lat/621 console vt100" changed to "INVALID"
wtmpfix: logname "uugetty -r -t 60 /dev/tty00 1920" changed to "INVALID"
wtmpfix: logname "getty /dev/lat/620 console vt100" changed to "INVALID"
wtmpfix: logname "getty /dev/lat/621 console vt100" changed to "INVALID"
wtmpfix: logname "getty /dev/lat/620 console vt100" changed to "INVALID"
wtmpfix: logname "getty /dev/lat/620 console vt100" changed to "INVALID"
wtmpfix: logname "getty /dev/lat/621 console vt100" changed to "INVALID"
wtmpfix: logname "uugetty -r -t 60 /dev/tty00 1920" changed to "INVALID"
wtmpfix: logname "getty /dev/lat/620 console vt100" changed to "INVALID"
wtmpfix: logname "getty /dev/lat/621 console vt100" changed to "INVALID"
wtmpfix: logname "getty /dev/lat/620 console vt100" changed to "INVALID"
wtmpfix: logname "getty /dev/lat/620 console vt100" changed to "INVALID"
wtmpfix: logname "getty /dev/lat/621 console vt100" changed to "INVALID"
wtmpfix: logname "uugetty -r -t 60 /dev/tty00 1920" changed to "INVALID"
wtmpfix: logname "getty /dev/lat/620 console vt100" changed to "INVALID"
wtmpfix: logname "getty /dev/lat/621 console vt100" changed to "INVALID"
wtmpfix: logname "uugetty -r -t 60 /dev/tty00 1920" changed to "INVALID"
wtmpfix: logname "getty /dev/lat/620 console vt100" changed to "INVALID"
wtmpfix: logname "getty /dev/lat/621 console vt100" changed to "INVALID"
wtmpfix: logname "getty /dev/lat/620 console vt100" changed to "INVALID"
wtmpfix: logname "getty /dev/lat/621 console vt100" changed to "INVALID"
wtmpfix: logname "getty /dev/lat/620 console vt100" changed to "INVALID"
wtmpfix: logname "getty /dev/lat/621 console vt100" changed to "INVALID"
wtmpfix: logname "getty /dev/lat/620 console vt100" changed to "INVALID"
wtmpfix: logname "getty /dev/lat/621 console vt100" changed to "INVALID"
wtmpfix: logname "getty /dev/lat/620 console vt100" changed to "INVALID"
wtmpfix: logname "getty /dev/lat/621 console vt100" changed to "INVALID"
wtmpfix: logname "getty /dev/lat/620 console vt100" changed to "INVALID"
wtmpfix: logname "getty /dev/lat/621 console vt100" changed to "INVALID"
wtmpfix: logname "uugetty -r -t 60 /dev/tty00 1920" changed to "INVALID"
wtmpfix: logname "uugetty -r -t 60 /dev/tty00 1920" changed to "INVALID"
wtmpfix: logname "getty /dev/lat/620 console vt100" changed to "INVALID"
wtmpfix: logname "getty /dev/lat/621 console vt100" changed to "INVALID"
wtmpfix: logname "getty /dev/lat/620 console vt100" changed to "INVALID"
wtmpfix: logname "uugetty -r -t 60 /dev/tty00 1920" changed to "INVALID"
wtmpfix: logname "uugetty -r -t 60 /dev/tty00 1920" changed to "INVALID"
wtmpfix: logname "uugetty -r -t 60 /dev/tty00 1920" changed to "INVALID"
wtmpfix: logname "uugetty -r -t 60 /dev/tty00 1920" changed to "INVALID"
wtmpfix: logname "getty /dev/lat/621 console vt100" changed to "INVALID"
wtmpfix: logname "uugetty -r -t 60 /dev/tty00 1920" changed to "INVALID"
wtmpfix: logname "uugetty -r -t 60 /dev/tty00 1920" changed to "INVALID"
wtmpfix: logname "getty /dev/lat/620 console vt100" changed to "INVALID"
wtmpfix: logname "uugetty -r -t 60 /dev/tty00 1920" changed to "INVALID"
wtmpfix: logname "uugetty -r -t 60 /dev/tty00 1920" changed to "INVALID"
Bad file at offset 7163364
ttypd 897930642 Mon Jun 15 19:10:42 1998 MET DST
root_at_prfdec#
However, after logging in from remote, logging off, the entry did not appear
in wtmpfix-ed wtmp.
---------------
3. I also tried to preserve old entries from ASCII exported wtmp, and
re-created from that ASCII input binary wtmp.
/usr/sbin/acct/fwtmp -ic < ./dummy.file > /var/adm/wtmp
THIS WA THE WAY TO GO! After this, all new logins are written into wtmp.
Thanks to all who replied:
Nancy J. Young <young_at_nuc003.psc.sc.edu>
Jim Belonis <belonis_at_dirac.phys.washington.edu>
Paul Crittenden <crittend_at_storm.simpson.edu>
Ann Cantelow <cantelow_at_athena.csdco.com>
John Speno <speno_at_isc.upenn.edu>
Original question:
> > Hello,
> > I have a problem. ;-)
> >
> > the "last" reports entries only older than Dec16. However, it seems that
> > wtmp is updated properly:
> >
> > prfdec$ ls -la /var/adm/utmp
> > -rw-r--r-- 1 root adm 7800 Jan 8 21:35 /var/adm/utmp
> > prfdec$ ls -la /var/adm/wtmp
> > -rwxr-xr-x 1 root system 42158364 Jan 8 21:35 /var/adm/wtmp
> > prfdec$
> >
> > The machine is 4.0D with DUV40DAS00003-19981120.tar applied - without the
> > ASE part. However, the patch I applied on Dec 8, so I don't expect the
> > problem to be related to the patch. Isn't the last command affected by
> > wtmp file size? It's a bit large. I could re-create the file (does anybody
> > remeber the command to re-create an empty wtmp? -I know there's one in the
> > archives... ;-)) --But is not my primary question: So, why last doesn't
> > work anymore? "who" and "w" do report currently loggen in users.
--
Martin Mokrejs - PGP 5.0i key at: finger://mail.natur.cuni.cz/mmokrejs
<mmokrejs_at_natur.cuni.cz> Faculty of Science, The Charles University
Received on Sat Jan 09 1999 - 01:31:43 NZDT