In a RHEL 7.3 server, I was trying to find logged-in users. I ran w and it told me there were two users, but it only showed me the info of one (myself); then I ran who, which displayed the other user as (unknown). Finally, I ran lastlog, with which's output I could match the log in date and port from who's output and find the unknown user actually is gdm.
$ w
09:33:36 up 4 days, 15:22, 2 users, load average: 0.00, 0.01, 0.05
USER TTY FROM LOGIN@ IDLE JCPU PCPU WHAT
myusr pts/0 172.16.23.113 09:32 0.00s 0.06s 0.03s w
$ who
(unknown) :0 2017-07-01 18:13 (:0)
myusr pts/0 2017-07-06 09:32 (172.16.23.113)
$ lastlog
Username Port From Latest
...
gdm :0 Sat Jul 1 18:13:23 -0500 2017
...
The server is a supermicro machine and from time to time I connect to it using IPMI2's kvm over lan feature. But I don't remember anything weird happening when connecting like that.
This doesn't seem normal. What could have happened?
Best Answer
After reading Centimane's comment on
/var/run/utmpand searching differently, I found this fedora forum thread, which mentioned the issue is provoked by a bug in GDM, which creates a bad entry in/var/run/utmp. Eventually I even found a bug report for it and another here.