From mboxrd@z Thu Jan 1 00:00:00 1970 From: "Harris, Todd" Subject: missing user name Date: Tue, 31 Jul 2012 15:06:44 -0400 Message-ID: Mime-Version: 1.0 Content-Type: multipart/mixed; boundary="===============3180855174348714757==" Return-path: Received: from mx1.redhat.com (ext-mx15.extmail.prod.ext.phx2.redhat.com [10.5.110.20]) by int-mx01.intmail.prod.int.phx2.redhat.com (8.13.8/8.13.8) with ESMTP id q6VJ6qgv002544 for ; Tue, 31 Jul 2012 15:06:52 -0400 Received: from mail.progeny.net (mail.progeny.net [69.17.18.222]) by mx1.redhat.com (8.14.4/8.14.4) with ESMTP id q6VJ6ks8011142 for ; Tue, 31 Jul 2012 15:06:46 -0400 Content-Language: en-US List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Sender: linux-audit-bounces@redhat.com Errors-To: linux-audit-bounces@redhat.com To: "linux-audit@redhat.com" List-Id: linux-audit@redhat.com --===============3180855174348714757== Content-Language: en-US Content-Type: multipart/alternative; boundary="_000_CE9F636BC12CA0449033D1E0B8B57C440744D27B98ES2K7MBX1prog_" --_000_CE9F636BC12CA0449033D1E0B8B57C440744D27B98ES2K7MBX1prog_ Content-Type: text/plain; charset="us-ascii" Content-Transfer-Encoding: quoted-printable I'm looking at a problem that has me really scratching my head. I've got a rhel 5.4 system that's using likewise and active directory to au= thenticate users, at least ones that are not defined locally. Locally defi= ned users work just fine, but any user that is defined in the active direct= ory server is showing up in events as "unknown(uid)" the uid appears to be = filled out correctly, and if the user is defined locally as well as in acti= ve directory it works just fine, but that kind of defeats the purpose. Als= o failed logins are showing up correctly, but I can't figure out what they = have done to their system to cause this. Can anyone give me a little direc= tion on where I should look to determine what's actually going on. I haven= 't been able to determine how the system actually resolves the user names. Don't know if this is important but we are using the prelude plugin and whe= re we notice the discrepancy is in the output from the prelude-manager, I h= ave not looked to see if it's wrong in the aureords. _______________________________ Todd Harris Progeny Systems Office Number: 703-368-6107 ext517 --_000_CE9F636BC12CA0449033D1E0B8B57C440744D27B98ES2K7MBX1prog_ Content-Type: text/html; charset="us-ascii" Content-Transfer-Encoding: quoted-printable
I’m looking at a problem that has me really scratching my head.<= /div>
 
I’ve got a rhel 5.4 system that’s using likewise and activ= e directory to authenticate users, at least ones that are not defined local= ly.  Locally defined users work just fine, but any user that is define= d in the active directory server is showing up in events as “unknown(uid)” the uid appears to be filled out corre= ctly, and if the user is defined locally as well as in active directory it = works just fine, but that kind of defeats the purpose.  Also failed lo= gins are showing up correctly, but I can’t figure out what they have done to their system to cause this.  Can anyone giv= e me a little direction on where I should look to determine what’s ac= tually going on.  I haven’t been able to determine how the syste= m actually resolves the user names.
 
Don’t know if this is important but we are using the prelude plu= gin and where we notice the discrepancy is in the output from the prelude-m= anager, I have not looked to see if it’s wrong in the aureords.
 
__________________________= _____
Todd Harris
Progeny Systems
Office Number: 703-368-610= 7 ext517
 
 
 --_000_CE9F636BC12CA0449033D1E0B8B57C440744D27B98ES2K7MBX1prog_-- --===============3180855174348714757== Content-Type: text/plain; charset="us-ascii" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit Content-Disposition: inline --===============3180855174348714757==-- From mboxrd@z Thu Jan 1 00:00:00 1970 From: "Harris, Todd" Subject: RE: missing user name Date: Tue, 31 Jul 2012 16:33:46 -0400 Message-ID: References: <2131072AB2142D4DB1D8B979446D73F8141F7A@0015-its-exmb10.us.saic.com> Mime-Version: 1.0 Content-Type: multipart/mixed; boundary="===============0425656524154551339==" Return-path: Received: from mx1.redhat.com (ext-mx12.extmail.prod.ext.phx2.redhat.com [10.5.110.17]) by int-mx09.intmail.prod.int.phx2.redhat.com (8.14.4/8.14.4) with ESMTP id q6VKXnnB012658 for ; Tue, 31 Jul 2012 16:33:57 -0400 Received: from mail.progeny.net (mail.progeny.net [69.17.18.222]) by mx1.redhat.com (8.14.4/8.14.4) with ESMTP id q6VKXl0r002940 for ; Tue, 31 Jul 2012 16:33:47 -0400 In-Reply-To: <2131072AB2142D4DB1D8B979446D73F8141F7A@0015-its-exmb10.us.saic.com> Content-Language: en-US List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Sender: linux-audit-bounces@redhat.com Errors-To: linux-audit-bounces@redhat.com To: "Saunders, Thomas D. II" , "linux-audit@redhat.com" List-Id: linux-audit@redhat.com --===============0425656524154551339== Content-Language: en-US Content-Type: multipart/alternative; boundary="_000_CE9F636BC12CA0449033D1E0B8B57C440744D27BB1ES2K7MBX1prog_" --_000_CE9F636BC12CA0449033D1E0B8B57C440744D27BB1ES2K7MBX1prog_ Content-Type: text/plain; charset="us-ascii" Content-Transfer-Encoding: quoted-printable We are using a product called Likewise, which was purchased by beyond trust= . I don't know if I mentioned it before but the system works on the other = rhel nodes we have. From: Saunders, Thomas D. II [mailto:THOMAS.D.SAUNDERS.II@saic.com] Sent: Tuesday, July 31, 2012 3:16 PM To: Harris, Todd; linux-audit@redhat.com Subject: RE: missing user name Are you using OpenLDAP to connect to MS AD servers? Tom Saunders | SAIC Senior Information Assurance & Security Engineer phone: 540-653-0986 | fax 540-663-0640 mobile: 540-408-3087| email: SaundersT@saic.com SIPRnet: Thomas.D.Saunders@us.army.smil.mil SIPRnet: Thomas.Saunders@navy.smil.mil Science Applications International Corporation SAIC 16442 Commerce Drive King George, VA 22485 www.saic.com ________________________________ From: linux-audit-bounces@redhat.com= on behalf of Harris, Todd Sent: Tue 7/31/2012 3:06 PM To: linux-audit@redhat.com Subject: missing user name I'm looking at a problem that has me really scratching my head. I've got a rhel 5.4 system that's using likewise and active directory to au= thenticate users, at least ones that are not defined locally. Locally defi= ned users work just fine, but any user that is defined in the active direct= ory server is showing up in events as "unknown(uid)" the uid appears to be = filled out correctly, and if the user is defined locally as well as in acti= ve directory it works just fine, but that kind of defeats the purpose. Als= o failed logins are showing up correctly, but I can't figure out what they = have done to their system to cause this. Can anyone give me a little direc= tion on where I should look to determine what's actually going on. I haven= 't been able to determine how the system actually resolves the user names. Don't know if this is important but we are using the prelude plugin and whe= re we notice the discrepancy is in the output from the prelude-manager, I h= ave not looked to see if it's wrong in the aureords. _______________________________ Todd Harris Progeny Systems Office Number: 703-368-6107 ext517 --_000_CE9F636BC12CA0449033D1E0B8B57C440744D27BB1ES2K7MBX1prog_ Content-Type: text/html; charset="us-ascii" Content-Transfer-Encoding: quoted-printable

We are us= ing a product called Likewise, which was purchased by beyond trust.  I= don’t know if I mentioned it before but the system works on the othe= r rhel nodes we have.

 

From: Saunders, = Thomas D. II [mailto:THOMAS.D.SAUNDERS.II@saic.com]
Sent: Tuesda= y, July 31, 2012 3:16 PM
To: Harris, Todd; linux-audit@redhat.com=
Subject: RE: missing user name

=

 

Are you using OpenLDAP to connect to MS AD server= s?

 

Tom Saunders = | SAIC
Senior Information Assurance & Security Engineer
phone:&nb= sp;540-653-0986 | fax 540-663-0640

 

Science Applications International Corporation
SAIC
16442 Commerc= e Drive
King George, VA  22485

www.saic.com

&nb= sp;

 

<= hr size=3D2 width=3D"100%" align=3Dcenter>

From: linux-audit-bounces@redhat.com on behalf of Harris, Todd
Sen= t: Tue 7/31/2012 3:06 PM
To: linux-audit@redhat.com
Subject: missing user name

I’m looking at a pr= oblem that has me really scratching my head.

 

I̵= 7;ve got a rhel 5.4 system that’s using likewise and active directory= to authenticate users, at least ones that are not defined locally.  L= ocally defined users work just fine, but any user that is defined in the ac= tive directory server is showing up in events as “unknown(uid)”= the uid appears to be filled out correctly, and if the user is defined loc= ally as well as in active directory it works just fine, but that kind of de= feats the purpose.  Also failed logins are showing up correctly, but I= can’t figure out what they have done to their system to cause this.&= nbsp; Can anyone give me a little direction on where I should look to deter= mine what’s actually going on.  I haven’t been able to det= ermine how the system actually resolves the user names.

 

Don’t know if this is important but we are using the prelude pl= ugin and where we notice the discrepancy is in the output from the prelude-= manager, I have not looked to see if it’s wrong in the aureords.=

 

_______________________________

Todd Harris

= Progeny Systems

Office Number: = 703-368-6107 ext517

 

 

= --_000_CE9F636BC12CA0449033D1E0B8B57C440744D27BB1ES2K7MBX1prog_-- --===============0425656524154551339== Content-Type: text/plain; charset="us-ascii" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit Content-Disposition: inline --===============0425656524154551339==-- From mboxrd@z Thu Jan 1 00:00:00 1970 From: Daniel J Walsh Subject: Re: missing user name Date: Wed, 01 Aug 2012 08:30:07 -0400 Message-ID: <5019214F.1060706@redhat.com> References: <2131072AB2142D4DB1D8B979446D73F8141F7A@0015-its-exmb10.us.saic.com> Mime-Version: 1.0 Content-Type: text/plain; charset="us-ascii" Content-Transfer-Encoding: 7bit Return-path: In-Reply-To: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Sender: linux-audit-bounces@redhat.com Errors-To: linux-audit-bounces@redhat.com To: "Harris, Todd" Cc: "Saunders, Thomas D. II" , "linux-audit@redhat.com" List-Id: linux-audit@redhat.com -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 On 07/31/2012 04:33 PM, Harris, Todd wrote: > We are using a product called Likewise, which was purchased by beyond > trust. I don?t know if I mentioned it before but the system works on the > other rhel nodes we have. > > Any SELinux issues? > > *From:*Saunders, Thomas D. II [mailto:THOMAS.D.SAUNDERS.II@saic.com] > *Sent:* Tuesday, July 31, 2012 3:16 PM *To:* Harris, Todd; > linux-audit@redhat.com *Subject:* RE: missing user name > > > > Are you using OpenLDAP to connect to MS AD servers? > > > > Tom Saunders | SAIC Senior Information Assurance & Security Engineer phone: > 540-653-0986 | fax 540-663-0640 > > mobile: 540-408-3087| email: SaundersT@saic.com > SIPRnet: Thomas.D.Saunders@us.army.smil.mil > > > SIPRnet: Thomas.Saunders@navy.smil.mil > > > > > Science Applications International Corporation SAIC 16442 Commerce Drive > King George, VA 22485 > > www.saic.com > > > > > > -------------------------------------------------------------------------------- > > *From:*linux-audit-bounces@redhat.com > on behalf of Harris, Todd *Sent:* > Tue 7/31/2012 3:06 PM *To:* linux-audit@redhat.com > *Subject:* missing user name > > I?m looking at a problem that has me really scratching my head. > > > > I?ve got a rhel 5.4 system that?s using likewise and active directory to > authenticate users, at least ones that are not defined locally. Locally > defined users work just fine, but any user that is defined in the active > directory server is showing up in events as ?unknown(uid)? the uid appears > to be filled out correctly, and if the user is defined locally as well as > in active directory it works just fine, but that kind of defeats the > purpose. Also failed logins are showing up correctly, but I can?t figure > out what they have done to their system to cause this. Can anyone give me > a little direction on where I should look to determine what?s actually > going on. I haven?t been able to determine how the system actually > resolves the user names. > > > > Don?t know if this is important but we are using the prelude plugin and > where we notice the discrepancy is in the output from the prelude-manager, > I have not looked to see if it?s wrong in the aureords. > > > > _______________________________ > > Todd Harris > > Progeny Systems > > Office Number: 703-368-6107 ext517 > > > > > > > > -- Linux-audit mailing list Linux-audit@redhat.com > https://www.redhat.com/mailman/listinfo/linux-audit > -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.12 (GNU/Linux) Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/ iEYEARECAAYFAlAZIU8ACgkQrlYvE4MpobPxqgCguRHT0pqj8ZkRzyOTGrOm9BNP PM0AoKDWAtY8OVQqzJbcM9QGQJmrDfzc =cCap -----END PGP SIGNATURE----- From mboxrd@z Thu Jan 1 00:00:00 1970 From: "Harris, Todd" Subject: RE: missing user name Date: Wed, 1 Aug 2012 11:10:04 -0400 Message-ID: References: <2131072AB2142D4DB1D8B979446D73F8141F7A@0015-its-exmb10.us.saic.com> <5019214F.1060706@redhat.com> Mime-Version: 1.0 Content-Type: text/plain; charset="us-ascii" Content-Transfer-Encoding: 7bit Return-path: In-Reply-To: <5019214F.1060706@redhat.com> Content-Language: en-US List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Sender: linux-audit-bounces@redhat.com Errors-To: linux-audit-bounces@redhat.com To: Daniel J Walsh Cc: "Saunders, Thomas D. II" , "linux-audit@redhat.com" List-Id: linux-audit@redhat.com SELinux is not running on any of these systems. -----Original Message----- From: Daniel J Walsh [mailto:dwalsh@redhat.com] Sent: Wednesday, August 01, 2012 8:30 AM To: Harris, Todd Cc: Saunders, Thomas D. II; linux-audit@redhat.com Subject: Re: missing user name -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 On 07/31/2012 04:33 PM, Harris, Todd wrote: > We are using a product called Likewise, which was purchased by beyond > trust. I don?t know if I mentioned it before but the system works on > the other rhel nodes we have. > > Any SELinux issues? > > *From:*Saunders, Thomas D. II [mailto:THOMAS.D.SAUNDERS.II@saic.com] > *Sent:* Tuesday, July 31, 2012 3:16 PM *To:* Harris, Todd; > linux-audit@redhat.com *Subject:* RE: missing user name > > > > Are you using OpenLDAP to connect to MS AD servers? > > > > Tom Saunders | SAIC Senior Information Assurance & Security Engineer phone: > 540-653-0986 | fax 540-663-0640 > > mobile: 540-408-3087| email: SaundersT@saic.com > SIPRnet: > Thomas.D.Saunders@us.army.smil.mil > > > SIPRnet: Thomas.Saunders@navy.smil.mil > > > > > Science Applications International Corporation SAIC 16442 Commerce > Drive King George, VA 22485 > > www.saic.com > > > > > > ---------------------------------------------------------------------- > ---------- > > *From:*linux-audit-bounces@redhat.com > on behalf of Harris, Todd > *Sent:* Tue 7/31/2012 3:06 PM *To:* linux-audit@redhat.com > *Subject:* missing user name > > I?m looking at a problem that has me really scratching my head. > > > > I?ve got a rhel 5.4 system that?s using likewise and active directory > to authenticate users, at least ones that are not defined locally. > Locally defined users work just fine, but any user that is defined in > the active directory server is showing up in events as ?unknown(uid)? > the uid appears to be filled out correctly, and if the user is defined > locally as well as in active directory it works just fine, but that > kind of defeats the purpose. Also failed logins are showing up > correctly, but I can?t figure out what they have done to their system > to cause this. Can anyone give me a little direction on where I > should look to determine what?s actually going on. I haven?t been > able to determine how the system actually resolves the user names. > > > > Don?t know if this is important but we are using the prelude plugin > and where we notice the discrepancy is in the output from the > prelude-manager, I have not looked to see if it?s wrong in the aureords. > > > > _______________________________ > > Todd Harris > > Progeny Systems > > Office Number: 703-368-6107 ext517 > > > > > > > > -- Linux-audit mailing list Linux-audit@redhat.com > https://www.redhat.com/mailman/listinfo/linux-audit > -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.12 (GNU/Linux) Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/ iEYEARECAAYFAlAZIU8ACgkQrlYvE4MpobPxqgCguRHT0pqj8ZkRzyOTGrOm9BNP PM0AoKDWAtY8OVQqzJbcM9QGQJmrDfzc =cCap -----END PGP SIGNATURE----- From mboxrd@z Thu Jan 1 00:00:00 1970 From: "Saunders, Thomas D. II" Subject: RE: missing user name Date: Tue, 31 Jul 2012 15:16:09 -0400 Message-ID: <2131072AB2142D4DB1D8B979446D73F8141F7A@0015-its-exmb10.us.saic.com> References: Mime-Version: 1.0 Content-Type: multipart/mixed; boundary="===============3482149089477926660==" Return-path: Received: from mx1.redhat.com (ext-mx15.extmail.prod.ext.phx2.redhat.com [10.5.110.20]) by int-mx01.intmail.prod.int.phx2.redhat.com (8.13.8/8.13.8) with ESMTP id q6VJGsqj006969 for ; Tue, 31 Jul 2012 15:16:54 -0400 Received: from mclmx2.mail.saic.com (mclmx2.mail.saic.com [149.8.64.32]) by mx1.redhat.com (8.14.4/8.14.4) with ESMTP id q6VJGip6015299 for ; Tue, 31 Jul 2012 15:16:44 -0400 Content-class: urn:content-classes:message List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Sender: linux-audit-bounces@redhat.com Errors-To: linux-audit-bounces@redhat.com To: "Harris, Todd" , linux-audit@redhat.com List-Id: linux-audit@redhat.com This is a multi-part message in MIME format. --===============3482149089477926660== Content-class: urn:content-classes:message Content-Type: multipart/alternative; boundary="----_=_NextPart_001_01CD6F51.01C539CE" This is a multi-part message in MIME format. ------_=_NextPart_001_01CD6F51.01C539CE Content-Type: text/plain; charset="iso-8859-1" Content-Transfer-Encoding: quoted-printable Are you using OpenLDAP to connect to MS AD servers? =20 Tom Saunders | SAIC Senior Information Assurance & Security Engineer phone: 540-653-0986 | fax 540-663-0640 mobile: 540-408-3087| email: SaundersT@saic.com = =20 SIPRnet: Thomas.D.Saunders@us.army.smil.mil = =20 SIPRnet: Thomas.Saunders@navy.smil.mil = =20 =20 Science Applications International Corporation SAIC 16442 Commerce Drive King George, VA 22485 www.saic.com =20 =20 ________________________________ From: linux-audit-bounces@redhat.com on behalf of Harris, Todd Sent: Tue 7/31/2012 3:06 PM To: linux-audit@redhat.com Subject: missing user name I'm looking at a problem that has me really scratching my head. =20 I've got a rhel 5.4 system that's using likewise and active directory to = authenticate users, at least ones that are not defined locally. Locally = defined users work just fine, but any user that is defined in the active = directory server is showing up in events as "unknown(uid)" the uid = appears to be filled out correctly, and if the user is defined locally = as well as in active directory it works just fine, but that kind of = defeats the purpose. Also failed logins are showing up correctly, but I = can't figure out what they have done to their system to cause this. Can = anyone give me a little direction on where I should look to determine = what's actually going on. I haven't been able to determine how the = system actually resolves the user names. =20 Don't know if this is important but we are using the prelude plugin and = where we notice the discrepancy is in the output from the = prelude-manager, I have not looked to see if it's wrong in the aureords. =20 _______________________________ Todd Harris Progeny Systems Office Number: 703-368-6107 ext517 =20 =20 ------_=_NextPart_001_01CD6F51.01C539CE Content-Type: text/html; charset="iso-8859-1" Content-Transfer-Encoding: quoted-printable =0A= =0A= =0A= =0A= =0A= =0A=
=0A=
Are you using = OpenLDAP to connect to MS AD servers?
=0A=
 
=0A=
=0A=
=0A=
Tom Saunders | SAIC
Senior = Information Assurance & Security = Engineer
phone: 540-653-0986 | fax 540-663-0640
=0A=
mobile: 540-408-3087| email: SaundersT@saic.com =
SIPRnet: Thomas.D.Saunders@us.army.smil.mil =0A=
SIPRnet: = Thomas.Saunders@navy.smil.mil =
=0A=
 
=0A=
Science Applications International = Corporation
SAIC
16442 Commerce Drive
King George, VA  = 22485

www.saic.com
=0A=
 
=0A=

=0A=
=0A= From: linux-audit-bounces@redhat.com = on behalf of Harris, Todd
Sent: Tue 7/31/2012 3:06 = PM
To: linux-audit@redhat.com
Subject: missing user = name

=0A=
=0A=
I’m looking at a problem that has me really scratching my = head.
=0A=
 
=0A=
I’ve got a rhel 5.4 system that’s using likewise and = active directory to authenticate users, at least ones that are not = defined locally.  Locally defined users work just fine, but any = user that is defined in the active directory server is showing up in = events as “unknown(uid)” the uid appears to be filled out = correctly, and if the user is defined locally as well as in active = directory it works just fine, but that kind of defeats the = purpose.  Also failed logins are showing up correctly, but I = can’t figure out what they have done to their system to cause = this.  Can anyone give me a little direction on where I should look = to determine what’s actually going on.  I haven’t been = able to determine how the system actually resolves the user names.
=0A=
 
=0A=
Don’t know if this is important but we are using the prelude = plugin and where we notice the discrepancy is in the output from the = prelude-manager, I have not looked to see if it’s wrong in the = aureords.
=0A=
 
=0A=
_______________________________
=0A=
Todd Harris
=0A=
Progeny = Systems
=0A=
Office Number: = 703-368-6107 ext517
=0A=
 
=0A=
 
------_=_NextPart_001_01CD6F51.01C539CE-- --===============3482149089477926660== Content-Type: text/plain; charset="us-ascii" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit Content-Disposition: inline --===============3482149089477926660==-- From mboxrd@z Thu Jan 1 00:00:00 1970 From: Steve Grubb Subject: Re: missing user name Date: Fri, 03 Aug 2012 15:14:32 -0400 Message-ID: <1502137.fsIWu9ny2I@x2> References: Mime-Version: 1.0 Content-Type: text/plain; charset="us-ascii" Content-Transfer-Encoding: 7bit Return-path: In-Reply-To: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Sender: linux-audit-bounces@redhat.com Errors-To: linux-audit-bounces@redhat.com To: linux-audit@redhat.com Cc: "Harris, Todd" List-Id: linux-audit@redhat.com On Tuesday, July 31, 2012 03:06:44 PM Harris, Todd wrote: > I'm looking at a problem that has me really scratching my head. > > I've got a rhel 5.4 system that's using likewise and active directory to > authenticate users, at least ones that are not defined locally. Locally > defined users work just fine, but any user that is defined in the active > directory server is showing up in events as "unknown(uid)" the uid appears > to be filled out correctly, and if the user is defined locally as well as > in active directory it works just fine, but that kind of defeats the > purpose. Ausearch/report/libauparse all use the glibc function, getpwuid(). So, the names would need to be available via that function. That said, there are ways to hook it up so that it resolves with NSS or nscd. It would seem like more than just ausearch would have problems resolving user names since getpwnam and getpwuid are central to almost all Linux programs that display uid or names. > Also failed logins are showing up correctly, This is because they are handled differently. They are in an acct field rather than auid field. -Steve