-   Linux - Security (
-   -   Authentication Token Manipulation Error (

manfernandez 05-26-2001 08:01 PM

Good day,

I am new to Linux. I have purchased a book "Linux Network Servers 24Seven" There is chapter that says how to create a user via the passwd file:

1. pico /etc/passwd
2. add a user name: manny::503:503:Manny Fernandez:/home/manny:/bin/bash
3. Create a home dir : mkdir /home/manny
4. Copy the contents of /etc/skel
5. Change ownership: chown manny:users /home/manny
6. Change password: passwd manny

When I do step 6, I get an error "Authentication Token Manipulation Error" if I use Linuxconf it works fine, but I would like to learn the hard way so that when I use the "Helper Apps" I know what it is actually doing.


unSpawn 05-27-2001 05:15 PM

if u are running shadowed passwords it might be theres no entry for this user. make a backup of /etc/shadow, delete /etc/shadow and convert /etc/passwd using pwconvert.
same goes for /etc/groups.

manfernandez 05-27-2001 05:24 PM


I have a question about your response though. When I am using shadowed passwords, can I still create a user from the passwd file or should I use the linuxconf?

Does that pwconvert, somehow pull the passwd file and allow me to apply a password to the users that are in the passwd file?



unSpawn 05-27-2001 06:52 PM

Linuxconf is easier but u can still use /etc/passwd to add users.
pwconv creates /etc/shadow from /etc/passwd, replacing passwords with asterixes in /etc/passwd.
I think uve gotta rerun pwconv each time u *add* a user, Linuxconf tho will do the whole sequence by itself, at least I never had a prob with Linuxconf & shadow.

manfernandez 05-27-2001 07:13 PM

Thank you!

raz 05-29-2001 12:31 PM

Manfernandez here's an example to read:

1. echo "manny:x:503:503:Manny Fernandez:/home/manny:/bin/bash" >> /etc/passwd
2. echo "manny::11302:0:99999:7:::" >> /etc/shadow
3. mkdir /home/manny
4. chown 503 /home/manny
5. chmod 700 /home/manny
6. passwd manny


theShadowSearcher 08-30-2005 10:16 AM

If using NIS, you MUST remember to update the NIS domain's authentication files by executing the make command in the /var/yp directory.
Otherwise, you will not login anymore until you restart the machine and make some contingency process.

Garlic Overtone 03-14-2006 04:00 PM

Late response

Sorry to get in late on the fun, but I ran into this problem myself and thought I'd post some advice.

I was trying to change the password of a local user (Centos 4.2, but that's irrelevant for the most part) when I encountered the error below:

[root@localhost ~]# passwd someuser
passwd: Authentication token manipulation error.

For me, the problem was caused entirely by the username in the password file being different from the username in the shadow file. Editing /etc/shadow's someuser entry to match the entry in /etc/passwd solved the problem.

WRT the above advice of editing the password file directly, in short, DON'T. That's pretty much what screwed me up. There's a couple utilities you should be made aware of that will make your life easier.

First up, the humble `passwd' command. It changes passwords, 'nuf said.

Next up, `adduser'. Use this to create users. Generally, the form of `adduser <username>' is usually enough. Use `passwd <username>' to then set the password. (see above.)

Next up, `usermod'. Most of the time, people modify the passwd file to change a shell (usermod -s <shell> <username>), change a username (usermod -l <newusername> <oldusername>), or change group info (-G adds users to new groups, -g changes primary group).

Next, `chfn'. This tool changes the GECOS Fields in /etc/passwd for you, so you don't mess it up.

Lastly, should you for some sadistic reason desire to edit the passwd and shadow fields manually, at least use `vipw' (for editing passwd) and `vigr' (for editing groups). These tools will remind you to edit /etc/shadow and /etc/gshadow if need be.

WRT using the [un]shadow utilities, you should remember not to do that on a multi-user system while other users are logged in. Someone could VERY easily snarf your unprotected passwd file with all the hashes after running `pwunconv'. Remember, /etc/passwd HAS to be world readable, or most PAM modules and other authentication systems (NIS) fail.


Linuxconf is easier but u can still use /etc/passwd to add users.
pwconv creates /etc/shadow from /etc/passwd, replacing passwords with asterixes in /etc/passwd.
I think uve gotta rerun pwconv each time u *add* a user, Linuxconf tho will do the whole sequence by itself, at least I never had a prob with Linuxconf & shadow.
This is inaccurate. If shadow passwords are enabled (they are by default in Redhat based systems after about 1999, not sure about yours, use pwconf and grpconv to enable them!), then you needn't touch the shadow utilities at all if you use the proper utilities.

As for Linuxconf, stay far far away.


pico /etc/passwd
I heard a guy was FIRED from a place I worked at for editing the passwd file in pico. Long ago (eg: 6 years or so) there was a bug in pico that caused it to silently truncate files longer than 10,000 lines when it re-wrote them to disk. When this fellow was editing it on a system with 25,000+ users, he saved it not realizing what would happen, and trashed 15,000+ accounts.


-- G4rlic

p.s.: A colleague informed me that calling the above "the right way" is somewhat misleading. So let me clarify: unless you know exactly what you're doing, use the utilities provided to you by the OS. You'll be much better off until you learn the structure of /etc/passwd, /etc/shadow, and /etc/group.

Wells 12-14-2006 10:36 AM

This is kind of sad, but I have recently run into this problem as well. In my case, it was a system which was using LDAP for authentication, and appears to be very confused now.

In the end, I had to cat all of the passwd and shadow entries in LDAP into /etc/passwd and /etc/shadow in order to fix the problem.

Granted, this is a machine that has been up for nearly six months now, and we have done a lot of nasty little things with authentication to it during that time, so a reboot is going to be in order as soon as we get a maintenance window.

Golan Trevize 06-06-2008 12:00 PM

Do not delete /etc/shadow.
In regards to UnSpawn's comment about how to use pwconv, I highly recommend that you avoid a fun Career Limiting Move and do NOT delete the current /etc/shadow file on a running production server, and then "recreate" it using pwconv. PWCONV will not recreate the old passwords, so all users, including root, will no longer be able to login. If you manually manipulate /etc/passwd, simply run pwconv and it will bring in the new users, then run passwd <user> for each.

unSpawn 06-06-2008 12:49 PM

Nice. It kinda shows you shouldn't use age-old nfo as basis for your career moves. Thanks for correcting anyway, even though it resulted in resurrecting a dead thread in the process.

All times are GMT -5. The time now is 11:15 AM.