LinuxQuestions.org
Visit Jeremy's Blog.
Go Back   LinuxQuestions.org > Forums > Linux Forums > Linux - Security
User Name
Password
Linux - Security This forum is for all security related questions.
Questions, tips, system compromises, firewalls, etc. are all included here.

Notices

Reply
 
Search this Thread
Old 05-04-2006, 10:16 AM   #1
jovie
Member
 
Registered: May 2006
Posts: 54

Rep: Reputation: 15
passwd:Authentication token manipulation error


Hi

There are lots of questions about this on the web but none of the answers seem fit my situation.


No one on the system can change a password, not even root. The error is always "passwd: Authentication token manipulation error".
I'm not aware of having installed anything that could have caused this but it is a while since I had the need to change a password.
This is the only issue I've come accross, I can adduser and deluser.
The file /etc/shadow exists.
The date stamp on /etc/pam.d/system-auth is 2003 so I don't think there has been a change in there.

How do I go about tracking down this error? Nothing I've read on the web has helped.

Thanks for any hits you can give me

Code:
[ann]$ su
Password:
[root]# useradd asdf
[root]# passwd asdf
Changing password for user asdf.
passwd: Authentication token manipulation error
[root]# ls -l /etc/shadow
-r--------    1 root     root         1317 May  4 14:46 /etc/shadow
[root]# ls -l /etc/passwd
-rw-r--r--    1 root     root         1921 May  4 14:46 /etc/passwd
[root]# ls -l /etc/group
-rw-r--r--    1 root     root          770 May  4 14:46 /etc/group
[root]# passwd root
Changing password for user root.
passwd: Authentication token manipulation error
[root]# ls -l /etc/pam.d/system-auth
-rw-r--r--    1 root     root          688 Sep  3  2003 /etc/pam.d/system-auth
[root]# more /etc/pam.d/system-auth
#%PAM-1.0
# This file is auto-generated.
# User changes will be destroyed the next time authconfig is run.
auth        required      /lib/security/$ISA/pam_env.so
auth        sufficient    /lib/security/$ISA/pam_unix.so likeauth nullok
auth        required      /lib/security/$ISA/pam_deny.so
 
account     required      /lib/security/$ISA/pam_unix.so
 
password    required      /lib/security/$ISA/pam_cracklib.so retry=3 type=
password    sufficient    /lib/security/$ISA/pam_unix.so nullok use_authtok md5 shadow
password    required      /lib/security/$ISA/pam_deny.so
 
session     required      /lib/security/$ISA/pam_limits.so
session     required      /lib/security/$ISA/pam_unix.so
[root]#
 
Old 05-06-2006, 04:54 AM   #2
unSpawn
Moderator
 
Registered: May 2001
Posts: 27,374
Blog Entries: 54

Rep: Reputation: 2872Reputation: 2872Reputation: 2872Reputation: 2872Reputation: 2872Reputation: 2872Reputation: 2872Reputation: 2872Reputation: 2872Reputation: 2872Reputation: 2872
What do your system logs (see /etc/syslog.conf) say? Your PAM file pam_cracklib.so line args read "retry=3 type=". Check what type should be set to as I can't imagine it can be empy like that. If that's not it then try to change a password running passwd through strace (haven't got a dev box right now to check) like "strace -v -o /tmp/passwd.strace passwd <someuser>". Look for clues ( egrep "(\-.1|ENO.*)$" /tmp/passwd.strace ). If that shows no clues then *reboot* and on boot drop to runlevel 1 and perform a system audit. If you post errors or loglines please be verbose and post *exact* ones.
 
Old 05-08-2006, 06:18 AM   #3
jovie
Member
 
Registered: May 2006
Posts: 54

Original Poster
Rep: Reputation: 15
Quote:
Originally Posted by unSpawn
What do your system logs (see /etc/syslog.conf) say?
Nothing in the logs relating to this error

Quote:
Originally Posted by unSpawn
Your PAM file pam_cracklib.so line args read "retry=3 type=".
This line on another system (that's working) read "retry=3" so I deleted the "type=" but it made no difference.

Quote:
Originally Posted by unSpawn
"strace -v -o /tmp/passwd.strace passwd <someuser>". Look for clues ( egrep "(\-.1|ENO.*)$" /tmp/passwd.strace ).
The egrep returned ...
Code:
access("/etc/suid-debug", F_OK)         = -1 ENOENT (No such file or directory)
open("/etc/ld.so.preload", O_RDONLY)    = -1 ENOENT (No such file or directory)
connect(3, {sa_family=AF_UNIX, path="/var/run/.nscd_socket"}, 110) = -1 ENOENT (No such file or directory)
which is the same as the working system but if I look through the file it ends like this (with the first 2 lines repeated many times)

Code:
open("/etc/.pwd.lock", O_WRONLY|O_CREAT, 0600) = -1 EACCES (Permission denied)
nanosleep({0, 1000000}, NULL)           = 0
open("/etc/.pwd.lock", O_WRONLY|O_CREAT, 0600) = -1 EACCES (Permission denied)
select(0, NULL, NULL, NULL, {2, 739930}) = 0 (Timeout)
write(2, "passwd: Authentication token man"..., 48) = 48
munmap(0x4001e000, 14572)               = 0
munmap(0x40134000, 97172)               = 0
munmap(0x40161000, 85184)               = 0
munmap(0x40022000, 32352)               = 0
munmap(0x40176000, 40128)               = 0
munmap(0x4014c000, 15304)               = 0
munmap(0x40018000, 14112)               = 0
munmap(0x4001c000, 6432)                = 0
munmap(0x40016000, 4096)                = 0
exit_group(1)                           = ?
I can change the permissions on /etc/.pwd.lock to 660 and I get
Code:
open("/etc/shadow", O_RDONLY)           = -1 EACCES (Permission denied)
then "chmod 440 /etc/shadow" and I can change passwords as root but not as a user because I'm left with...
Code:
rename("/etc/nshadow", "/etc/shadow")   = -1 EACCES (Permission denied)

BUT I'm not suposed to be changing thses file permissions. Somehow the passwd command should be run by users but allow changes in root only files and it isn't working?

Quote:
Originally Posted by unSpawn
If that shows no clues then *reboot* and on boot drop to runlevel 1 and perform a system audit. If you post errors or loglines please be verbose and post *exact* ones.
Can you explain that? I can go to runlevel 1 ("/sbin/init 1") but don't know what to do when I get there.

Thanks
 
Old 05-10-2006, 01:46 AM   #4
jovie
Member
 
Registered: May 2006
Posts: 54

Original Poster
Rep: Reputation: 15
The answer to my error ...

NOTE it's the executable file not the text file, (mine are in /usr/bin/passwd and /etc/passwd)

Quote:
Originally Posted by RHELL
What are the permissions for passwd?
Thank you very much!

-r-s--x--x 1 ann ann 16336 Feb 13 2003 /usr/bin/passwd

So I changed the owner and group back to root and we're all go
 
  


Reply


Thread Tools Search this Thread
Search this Thread:

Advanced Search

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is Off
HTML code is Off


Similar Threads
Thread Thread Starter Forum Replies Last Post
"passwd: Authentication token manipulation error" Neowulf Linux - Newbie 8 03-05-2014 04:01 PM
Authentication Token Manipulation Error manfernandez Linux - Security 10 06-06-2008 11:49 AM
passwd: User not known to the underlying authentication module tinaa Linux - General 2 05-18-2008 10:54 AM
passwd: Authentication token manipulation error jwholey Linux - Enterprise 4 05-10-2006 01:41 AM
authentication token manipulation error abuelmaati Linux - Newbie 3 02-04-2005 07:21 AM


All times are GMT -5. The time now is 11:45 AM.

Main Menu
My LQ
Write for LQ
LinuxQuestions.org is looking for people interested in writing Editorials, Articles, Reviews, and more. If you'd like to contribute content, let us know.
Main Menu
Syndicate
RSS1  Latest Threads
RSS1  LQ News
Twitter: @linuxquestions
identi.ca: @linuxquestions
Facebook: linuxquestions Google+: linuxquestions
Open Source Consulting | Domain Registration