SUMMARY: Weird problem with lastlog truncation

From: Rachel Polanskis <>
Date: Wed Oct 05 2011 - 19:50:55 EDT
I tried several things that were recommended to me.  None of them resolved the
I got some help with dtrace, but I did not get a chance to run it yet.

What I did do, was:

run the /etc/init.d/acct stop and acctadm stop on each server
Checked the adm crontab had commented out all the actions.
cleaned up the acct admin files, pacct etc.
removed entry in /etc/logadm.conf for pacct:  logadm -r /var/adm/pacct

None of the above helped in stopping the mystery truncation of lastlog
at 2:30am daily!

The solution, which is simple enough, was to stop and restart crond.

Although the jobs were hashed out, it seems that
when I checked the cron log, it was still running the actions for adm user,
even though:

The actions were hashed out in the crontab
adm was not in /etc/cron.d/cron.allow
crontab -e adm would error and say this user is not permitted to run cron

So, I added adm to /etc/cron.d/cron.deny to be sure and restarted crond to be

Next time I checked after this, the lastlog had started accumulating.
I think there is a bug in cron, that is causing it to cache hashed entries.
When I checked
this problem box, it had had the crontab from adm hashed out but it was still
running the tasks
at 2:30am.

I do not know what is up with that, but I have added a restart of crond to my
remediation script to ensure it goes away.

Thanks to everyone who replied with potential solutions.  I will still follow
with the dtrace, for my own enjoyment/education!

rachel polanskis

On 04/10/2011, at 12:46, wrote:

> Hi,
> On Solaris 10, Zones, various versions but not all.....
> ....we have a strange config error that keeps popping up.
> I noted on many systems, lastlog was being truncated everyday.
> I have disabled process accounting or at least thought I had.
> But "something" at 2:30AM daily is truncating lastlog.
> I have done /etc/init.d/acct stop
> I have done /etc/init.d/acctadm stop
> moved /etc/rc3.d/S22acct to _S22acct
> Edited /etc/logadm.conf with logadm -r /var/adm/pacct to remove the entry
(it reappears daily).
> There is no cron job running at 2:30AM daily.
> There are no acct processes running on the system.
> I have cleaned up this issue on several systems and on some of them, it just
> carries on doing it regardless.
> Does anyone have any ideas?    There are no phantom at jobs running, nor
> scripts.   It is like the acct stuff is just running even though it's
> entirely.
> Please assist - I have been working on this one for ages now!
> rachel
> --
> Rachel Polanskis                 Kingswood, Greater Western Sydney,
>    "The perversity of the Universe tends towards a maximum." - Finagle's
> _______________________________________________
> sunmanagers mailing list
sunmanagers mailing list
Received on Wed Oct 5 19:49:34 2011

This archive was generated by hypermail 2.1.8 : Thu Mar 03 2016 - 06:44:18 EST