LinuxQuestions.org
Visit Jeremy's Blog.
Go Back   LinuxQuestions.org > Forums > Linux Forums > Linux - Security
User Name
Password
Linux - Security This forum is for all security related questions.
Questions, tips, system compromises, firewalls, etc. are all included here.

Notices


Reply
  Search this Thread
Old 07-20-2006, 10:16 AM   #1
goodrookie
LQ Newbie
 
Registered: Jul 2006
Posts: 1

Rep: Reputation: 0
Question Lastlog file -> missing users???


Hi, everyone.

I'm analyzing a Linux server that is used as a Primary Domain Controller. Specifically, I have to check the last login date/times for each user and I see the following:

- Most users have "Never logged in", when I KNOW that they do log in everyday...how is this possible???
- Some users doesn´t appear in the lastlog file, but they are listed in the passwd file...how is this possible???

Note: the workstations in this LAN have Windows 2000 PRO installed on.

Could you please help me understand this situation?

Thanks so much.

Carlos.
 
Old 07-20-2006, 10:55 AM   #2
unSpawn
Moderator
 
Registered: May 2001
Posts: 29,415
Blog Entries: 55

Rep: Reputation: 3600Reputation: 3600Reputation: 3600Reputation: 3600Reputation: 3600Reputation: 3600Reputation: 3600Reputation: 3600Reputation: 3600Reputation: 3600Reputation: 3600
utmp: currently logged in users. tool: who/w
lastlog: only info about the users last login. Tool: lastlog.
wtmp: info about every user ever logged in. Tool: last or Chkrootkit's chklastlog.

* Note these might get logrotated so you will want to check the archives.
** If archives show nothing then you prolly should check "utmp = No/Yes" setting in smb.conf.

Last edited by unSpawn; 07-20-2006 at 11:19 AM. Reason: //dep: Samba config
 
Old 07-20-2006, 11:57 AM   #3
marozsas
Senior Member
 
Registered: Dec 2005
Location: Campinas/SP - Brazil
Distribution: SuSE, RHEL, Fedora, Ubuntu
Posts: 1,499
Blog Entries: 2

Rep: Reputation: 68
And theses tools/databases only holds login information for users which __really__ have logged in this system.

Samba users are not logged by theses tools !
For samba users you must to check the files on /var/log/samba.
 
  


Reply


Thread Tools Search this Thread
Search this Thread:

Advanced Search

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is Off
HTML code is Off



Similar Threads
Thread Thread Starter Forum Replies Last Post
lastlog - What is it, and how do I rotate it? ifm Linux - Newbie 9 04-22-2011 09:45 AM
Remove "lastlog" log file shipon_97 Linux - Security 1 07-19-2006 04:29 AM
/etc/passwd, users are missing setenv02 Linux - General 5 05-07-2006 04:05 PM
chkrootkit / lastlog Mr. Gone Linux - Security 4 10-13-2005 10:50 AM
lastlog command iquadri1 Linux - Networking 0 09-29-2001 01:14 PM

LinuxQuestions.org > Forums > Linux Forums > Linux - Security

All times are GMT -5. The time now is 03:06 PM.

Main Menu
Advertisement
My LQ
Write for LQ
LinuxQuestions.org is looking for people interested in writing Editorials, Articles, Reviews, and more. If you'd like to contribute content, let us know.
Main Menu
Syndicate
RSS1  Latest Threads
RSS1  LQ News
Twitter: @linuxquestions
Open Source Consulting | Domain Registration