I am new to Linux. I have purchased a book "Linux Network Servers 24Seven" There is chapter that says how to create a user via the passwd file:
1. pico /etc/passwd
2. add a user name: manny::503:503:Manny Fernandez:/home/manny:/bin/bash
3. Create a home dir : mkdir /home/manny
4. Copy the contents of /etc/skel
5. Change ownership: chown manny:users /home/manny
6. Change password: passwd manny
When I do step 6, I get an error "Authentication Token Manipulation Error" if I use Linuxconf it works fine, but I would like to learn the hard way so that when I use the "Helper Apps" I know what it is actually doing.
if u are running shadowed passwords it might be theres no entry for this user. make a backup of /etc/shadow, delete /etc/shadow and convert /etc/passwd using pwconvert.
same goes for /etc/groups.
I have a question about your response though. When I am using shadowed passwords, can I still create a user from the passwd file or should I use the linuxconf?
Does that pwconvert, somehow pull the passwd file and allow me to apply a password to the users that are in the passwd file?
Linuxconf is easier but u can still use /etc/passwd to add users.
pwconv creates /etc/shadow from /etc/passwd, replacing passwords with asterixes in /etc/passwd.
I think uve gotta rerun pwconv each time u *add* a user, Linuxconf tho will do the whole sequence by itself, at least I never had a prob with Linuxconf & shadow.
Manfernandez here's an example to read:
1. echo "manny:x:503:503:Manny Fernandez:/home/manny:/bin/bash" >> /etc/passwd
2. echo "manny::11302:0:99999:7:::" >> /etc/shadow
3. mkdir /home/manny
4. chown 503 /home/manny
5. chmod 700 /home/manny
6. passwd manny
If using NIS, you MUST remember to update the NIS domain's authentication files by executing the make command in the /var/yp directory.
Otherwise, you will not login anymore until you restart the machine and make some contingency process.
Sorry to get in late on the fun, but I ran into this problem myself and thought I'd post some advice.
I was trying to change the password of a local user (Centos 4.2, but that's irrelevant for the most part) when I encountered the error below:
[root@localhost ~]# passwd someuser
passwd: Authentication token manipulation error.
For me, the problem was caused entirely by the username in the password file being different from the username in the shadow file. Editing /etc/shadow's someuser entry to match the entry in /etc/passwd solved the problem.
WRT the above advice of editing the password file directly, in short, DON'T. That's pretty much what screwed me up. There's a couple utilities you should be made aware of that will make your life easier.
First up, the humble `passwd' command. It changes passwords, 'nuf said.
Next up, `adduser'. Use this to create users. Generally, the form of `adduser <username>' is usually enough. Use `passwd <username>' to then set the password. (see above.)
Next up, `usermod'. Most of the time, people modify the passwd file to change a shell (usermod -s <shell> <username>), change a username (usermod -l <newusername> <oldusername>), or change group info (-G adds users to new groups, -g changes primary group).
Next, `chfn'. This tool changes the GECOS Fields in /etc/passwd for you, so you don't mess it up.
Lastly, should you for some sadistic reason desire to edit the passwd and shadow fields manually, at least use `vipw' (for editing passwd) and `vigr' (for editing groups). These tools will remind you to edit /etc/shadow and /etc/gshadow if need be.
WRT using the [un]shadow utilities, you should remember not to do that on a multi-user system while other users are logged in. Someone could VERY easily snarf your unprotected passwd file with all the hashes after running `pwunconv'. Remember, /etc/passwd HAS to be world readable, or most PAM modules and other authentication systems (NIS) fail.
As for Linuxconf, stay far far away.
p.s.: A colleague informed me that calling the above "the right way" is somewhat misleading. So let me clarify: unless you know exactly what you're doing, use the utilities provided to you by the OS. You'll be much better off until you learn the structure of /etc/passwd, /etc/shadow, and /etc/group.
This is kind of sad, but I have recently run into this problem as well. In my case, it was a system which was using LDAP for authentication, and appears to be very confused now.
In the end, I had to cat all of the passwd and shadow entries in LDAP into /etc/passwd and /etc/shadow in order to fix the problem.
Granted, this is a machine that has been up for nearly six months now, and we have done a lot of nasty little things with authentication to it during that time, so a reboot is going to be in order as soon as we get a maintenance window.
Do not delete /etc/shadow.
In regards to UnSpawn's comment about how to use pwconv, I highly recommend that you avoid a fun Career Limiting Move and do NOT delete the current /etc/shadow file on a running production server, and then "recreate" it using pwconv. PWCONV will not recreate the old passwords, so all users, including root, will no longer be able to login. If you manually manipulate /etc/passwd, simply run pwconv and it will bring in the new users, then run passwd <user> for each.
Nice. It kinda shows you shouldn't use age-old nfo as basis for your career moves. Thanks for correcting anyway, even though it resulted in resurrecting a dead thread in the process.
|All times are GMT -5. The time now is 11:43 PM.|