Hi, I tried several things that were recommended to me. None of them resolved the issue. I got some help with dtrace, but I did not get a chance to run it yet. What I did do, was: run the /etc/init.d/acct stop and acctadm stop on each server Checked the adm crontab had commented out all the actions. cleaned up the acct admin files, pacct etc. removed entry in /etc/logadm.conf for pacct: logadm -r /var/adm/pacct None of the above helped in stopping the mystery truncation of lastlog at 2:30am daily! The solution, which is simple enough, was to stop and restart crond. Although the jobs were hashed out, it seems that when I checked the cron log, it was still running the actions for adm user, even though: The actions were hashed out in the crontab adm was not in /etc/cron.d/cron.allow crontab -e adm would error and say this user is not permitted to run cron jobs. So, I added adm to /etc/cron.d/cron.deny to be sure and restarted crond to be doubly sure. Next time I checked after this, the lastlog had started accumulating. I think there is a bug in cron, that is causing it to cache hashed entries. When I checked this problem box, it had had the crontab from adm hashed out but it was still running the tasks at 2:30am. I do not know what is up with that, but I have added a restart of crond to my remediation script to ensure it goes away. Thanks to everyone who replied with potential solutions. I will still follow up with the dtrace, for my own enjoyment/education! rachel -- rachel polanskis <r.polanskis@uws.edu.au> <grove@zeta.org.au> On 04/10/2011, at 12:46, grove@zeta.org.au wrote: > Hi, > On Solaris 10, Zones, various versions but not all..... > > ....we have a strange config error that keeps popping up. > > I noted on many systems, lastlog was being truncated everyday. > I have disabled process accounting or at least thought I had. > > But "something" at 2:30AM daily is truncating lastlog. > > > I have done /etc/init.d/acct stop > I have done /etc/init.d/acctadm stop > moved /etc/rc3.d/S22acct to _S22acct > > Edited /etc/logadm.conf with logadm -r /var/adm/pacct to remove the entry (it reappears daily). > > > There is no cron job running at 2:30AM daily. > > > There are no acct processes running on the system. > > > I have cleaned up this issue on several systems and on some of them, it just > carries on doing it regardless. > > Does anyone have any ideas? There are no phantom at jobs running, nor user > scripts. It is like the acct stuff is just running even though it's disabled > entirely. > > > Please assist - I have been working on this one for ages now! > > > > rachel > > -- > Rachel Polanskis Kingswood, Greater Western Sydney, Australia > grove_at_zeta.org.au http://www.zeta.org.au/~grove/grove.html > "The perversity of the Universe tends towards a maximum." - Finagle's Law > _______________________________________________ > sunmanagers mailing list > sunmanagers@sunmanagers.org > http://www.sunmanagers.org/mailman/listinfo/sunmanagers _______________________________________________ sunmanagers mailing list sunmanagers@sunmanagers.org http://www.sunmanagers.org/mailman/listinfo/sunmanagersReceived on Wed Oct 5 19:49:34 2011
This archive was generated by hypermail 2.1.8 : Thu Mar 03 2016 - 06:44:18 EST