Sorry to get in late on the fun, but I ran into this problem myself and thought I'd post some advice.
I was trying to change the password of a local user (Centos 4.2, but that's irrelevant for the most part) when I encountered the error below:
[root@localhost ~]# passwd someuser
passwd: Authentication token manipulation error.
For me, the problem was caused entirely by the username in the password file being different from the username in the shadow file. Editing /etc/shadow's someuser entry to match the entry in /etc/passwd solved the problem.
WRT the above advice of editing the password file directly, in short, DON'T. That's pretty much what screwed me up. There's a couple utilities you should be made aware of that will make your life easier.
First up, the humble `passwd'
command. It changes passwords, 'nuf said.
Next up, `adduser'
. Use this to create users. Generally, the form of `adduser <username>' is usually enough. Use `passwd <username>' to then set the password. (see above.)
Next up, `usermod'
. Most of the time, people modify the passwd file to change a shell (usermod -s <shell> <username>), change a username (usermod -l <newusername> <oldusername>), or change group info (-G adds users to new groups, -g changes primary group).
. This tool changes the GECOS Fields in /etc/passwd for you, so you don't mess it up.
Lastly, should you for some sadistic reason desire to edit the passwd and shadow fields manually, at least use `vipw'
(for editing passwd) and `vigr'
(for editing groups). These tools will remind you to edit /etc/shadow and /etc/gshadow if need be.
WRT using the [un]shadow utilities, you should remember not to do that on a multi-user system while other users are logged in. Someone could VERY easily snarf your unprotected passwd file with all the hashes after running `pwunconv'. Remember, /etc/passwd HAS to be world readable, or most PAM modules and other authentication systems (NIS) fail.
Linuxconf is easier but u can still use /etc/passwd to add users.
pwconv creates /etc/shadow from /etc/passwd, replacing passwords with asterixes in /etc/passwd.
I think uve gotta rerun pwconv each time u *add* a user, Linuxconf tho will do the whole sequence by itself, at least I never had a prob with Linuxconf & shadow.
This is inaccurate. If shadow passwords are enabled (they are by default in Redhat based systems after about 1999, not sure about yours, use pwconf and grpconv to enable them!), then you needn't touch the shadow utilities at all if you use the proper utilities.
As for Linuxconf, stay far far away.
I heard a guy was FIRED from a place I worked at for editing the passwd file in pico. Long ago (eg: 6 years or so) there was a bug in pico that caused it to silently truncate files longer than 10,000 lines when it re-wrote them to disk. When this fellow was editing it on a system with 25,000+ users, he saved it not realizing what would happen, and trashed 15,000+ accounts.
p.s.: A colleague informed me that calling the above "the right way" is somewhat misleading. So let me clarify: unless you know exactly what you're doing, use the utilities provided to you by the OS. You'll be much better off until you learn the structure of /etc/passwd, /etc/shadow, and /etc/group.