> Does anyone have a logical explanation for this? My "textbook" is a little rusty as this is knowledge from my HP-UX days but here goes:-
Linux / Unix keeps a record of users login in and out in the utmp file (for example on RH its /var/run/utmp). When a user logs in its recorded, when a user is logs out its recorded. When you do who (or other such commands inc userdel) the process trawls through the utmp file looking for matches. No match - assume still logged in (comput login times etc. from date stamp on start record. Transaction roll back or not, if you have a power cut and you are logged in as user X, process that use the utmp file will incorrectly assume user X is still logged in after restoration. If you dont mind loosing your history of loggins, just remove the /var/run/utmp and touch it to create a blank one (please check and restore appropriate permissions). Of course you want to do this when nobody is logged in otherwise the situation is reversed and people who are currently logged in are not picked up (because the start entry is missing), however if there is no start entry luckly the logout doesnt record the end entry ( or the who / userdel just ignores unmatched logout records) so eventually once everybody who was logged in at the time you delete the utmp file is logged out the status quo is restored. Why deleting your Win2k solved it .... I suspect it had nothing to do with it, however it is quite possible that you distro has cleanup scripts which "archive" the wtmp and utmp files. It is therefore most likely that these where triggered at some point and cleaned up your problem independantly of your win2k account settings. If you are feeling brave or have a test server you dont mind getting (potentially) trashed try it ... Log your self on, wait for sync to flush the utmp buffer to utmp file (so that you have the login entry on file) (or do a sync call from root) then turn the power off. Note: AFAIK utmp only works with "physical" logins eg telnet, X-terminal, console. It does not record client server type connections (eg webserver, db engine etc...). wtmp by the way if you where wandering is the record of bad logins good for checking for "forced" cracking, but also used by hackers (as sometimes people put their password in the login field by mistake and this gets recorded "plain text" in wtmp). Note also that wtmp and utmp are compressed, there are some tools for viewing these files but I havent touched on them for ages, I think they are part of the accounting package but dont quote me on that one. Hope this helps Tom. -- Philippine Linux Users' Group (PLUG) Mailing List [EMAIL PROTECTED] (#PLUG @ irc.free.net.ph) Official Website: http://plug.linux.org.ph Searchable Archives: http://marc.free.net.ph . To leave, go to http://lists.q-linux.com/mailman/listinfo/plug . Are you a Linux newbie? To join the newbie list, go to http://lists.q-linux.com/mailman/listinfo/ph-linux-newbie
