su: Authentication token manipulation error

hacback17 · 02-10-2020, 01:12 AM

Hi everyone,
The code snippet works fine (that means it creates a user, sets a password) but when I try to login as the recently created user, it produces "su: Authentication token manipulation error" error. Please help me understand what's wrong.

Code:

#!/bin/bash

# This script creates a new user on the local system.
# You will be prompted to enter the username (login), the person name, and a password.

# The username, password, and host for the account will be displayed.

# Make sure the script is being executed with superuser privileges.

if [[ "${UID}" -ne 0 ]]
then
	echo 'Please run with sudo or as root.'
	exit 1
fi

# Get the username (login).
read -p 'Enter the username to create: ' USER_NAME

# Get the real name (contents for the description field).
read -p 'Enter the name of the person or application that will be using this account: ' COMMENT

# Get the password.
read -p 'Enter the password to use for the account : ' PASSWORD

# Create the account.
useradd -c "${COMMENT}" -m ${USER_NAME}

# Check to seeif the useradd command succeded.
# We don't want to tell the user that an account was created when it hasn't been.
if [[ "${?}" -ne 0 ]]
then
	echo 'The account could not be created.'
	exit 1
fi

# Set the password
echo ${PASSWORD} | passwd --stdin ${USER_NAME}

if [[ "${?}" -ne 0 ]]
then
	echo 'The password for the account could not be set.'
	exit 1
fi

# Force password change on first login.
passwd -e ${USER_NAME}

# Display the username, password, and the host where the user was created.
echo  #blank line
echo 'username:'
echo "${USER_NAME}"
echo
echo 'password:'
echo "${PASSWORD}"
echo
echo 'host:'
echo "${HOSTNAME}"
exit 0

pan64 · 02-10-2020, 03:14 AM

exactly how did you try to login as the recently created user ?

hacback17 · 02-10-2020, 04:04 AM

Hi, I created a user 'amit', and tried to login as following:

Code:

[vagrant@localusers shellclass]$ su - amit
Password:
You are required to change your password immediately (ro
ot enforced)
Changing password for amit.
(current) UNIX password:
su: Authentication token manipulation error

berndbausch · 02-10-2020, 06:18 AM

My guess is that su, or /etc/pam.d/su, does not support password renewal. It probably only allows switching the user ID.

Try logging in normally, for example ssh amit@localhost.

EDIT: On Centos 8, I can login and change the password with su. However, your distro's su implementation might not support this.

pan64 · 02-10-2020, 07:56 AM

Yes, probably you cannot use su if the password was marked as expired.

scasey · 02-10-2020, 11:33 AM

My guess is that the password entered at the first login doesn't meet the minimum requirements for passwords on the system. i.e.; too short, mixed case, etc.

berndbausch · 02-10-2020, 04:04 PM

Quote:

Originally Posted by scasey

My guess is that the password entered at the first login doesn't meet the minimum requirements for passwords on the system. i.e.; too short, mixed case, etc.

Doesn't matter as the script is run by root.

scasey · 02-10-2020, 04:29 PM

Quote:

Originally Posted by berndbausch

Doesn't matter as the script is run by root.

Sorry. I meant the password entered at the su -, which then required a new password to be entered...although, presumably, that test was being done by su'ing from a different unprivileged user, as an su done by root wouldn't even ask for a password, afaik.