Yes the are users logging in (see "last" output). "finger" said no one logged on ??.
We are using the default network login. The server was rebooted 2 days ago with missing /proc directory. I have to create the /proc directory manually else the "w" command will return an error "/proc missing file or directory ... sometime like that". Now that the /proc is created, "w" command does return any error message other than the "0 users" problem.
---------------------------------
$ last -n 10
informix pts/21 192.xx.x.xxx Thu Oct 16 15:36 - 15:38 (00:01)
rnd pts/13 192.xx.x.xxx Thu Oct 16 15:31 - 15:33 (00:02)
rnd pts/6 192.xx.x.xxx Thu Oct 16 15:29 - 15:33 (00:04)
eir pts/38 192.xx.x.xxx Thu Oct 16 15:18 - 15:18 (00:00)
eir pts/18 192.xx.x.xxx Thu Oct 16 15:17 - 15:18 (00:00)
eir pts/5 192.xx.x.xxx Thu Oct 16 15:17 - 15:18 (00:00)
eir pts/11 192.xx.x.xxx Thu Oct 16 15:02 - 15:03 (00:00)
rnd pts/36 192.xx.x.xxx Thu Oct 16 14:46 - 14:48 (00:02)
eir pts/41 192.xx.x.xxx Thu Oct 16 14:35 - 14:38 (00:02)
informix pts/12 192.xx.x.xxx Thu Oct 16 14:33 - 14:38 (00:04)
$ finger
No one logged on
$ finger rnd
Login name: rnd In real life: RND Staff Only
Directory: /export/home/rnd Shell: /bin/sh
Last login Thu Oct 16 15:31 on pts/13 from 192.168.1.144
No unread mail
No Plan.
$ w
3:47pm up 2 day(s), 22:01, 0 users, load average: 1.00, 0.93, 0.91
User tty login@ idle JCPU PCPU what
-----------------------------
What you are showing now with "last -n 10" is that lot's of users were logged in, but now anymore. It displays starting-time and time of logout. between the "(" it shows the total time they have been logged in, only a couple of minutes, so therefor you can only make a good example of it when someone really is logged in.
If one is "last -n 10" displays (still logged in) and of course no time of logout.
Example:
g1161d ftp server1 Thu Oct 16 10:00 still logged in
g1161d ftp server1 Thu Oct 16 09:47 - 09:47 (00:00)
sys007 pts/tc server1 Thu Oct 16 08:30 still logged in
Note that "w" and "who" are have different output. Perderabo made a very interesting remark about it once, but I can't find it anymore
Depending on your release, who reads either /var/adm/utmp or /var/adm/utmpx. Which ever it is, it must exist and be world readable. If /proc was missing, maybe /var/adm was also trashed?
wtmp or utmp may have the wrong permissions, or may be corrupted. telnetd has been known to cause corruption issues.
Try this at your own risk:
With no users on your system, take backup copies of wtmp and utmp. Delete wtmp and utmp. Then try logging on a few sessions and see if the output is correct. Make sure the files have been re-created at this point. If not, some unix flavors require you to do a touch and recreate the files.