passwd:Authentication token manipulation error

jovie · 05-04-2006, 10:16 AM

Hi

There are lots of questions about this on the web but none of the answers seem fit my situation.

No one on the system can change a password, not even root. The error is always "passwd: Authentication token manipulation error".
I'm not aware of having installed anything that could have caused this but it is a while since I had the need to change a password.
This is the only issue I've come accross, I can adduser and deluser.
The file /etc/shadow exists.
The date stamp on /etc/pam.d/system-auth is 2003 so I don't think there has been a change in there.

How do I go about tracking down this error? Nothing I've read on the web has helped.

Thanks for any hits you can give me

Code:

[ann]$ su
Password:
[root]# useradd asdf
[root]# passwd asdf
Changing password for user asdf.
passwd: Authentication token manipulation error
[root]# ls -l /etc/shadow
-r--------    1 root     root         1317 May  4 14:46 /etc/shadow
[root]# ls -l /etc/passwd
-rw-r--r--    1 root     root         1921 May  4 14:46 /etc/passwd
[root]# ls -l /etc/group
-rw-r--r--    1 root     root          770 May  4 14:46 /etc/group
[root]# passwd root
Changing password for user root.
passwd: Authentication token manipulation error
[root]# ls -l /etc/pam.d/system-auth
-rw-r--r--    1 root     root          688 Sep  3  2003 /etc/pam.d/system-auth
[root]# more /etc/pam.d/system-auth
#%PAM-1.0
# This file is auto-generated.
# User changes will be destroyed the next time authconfig is run.
auth        required      /lib/security/$ISA/pam_env.so
auth        sufficient    /lib/security/$ISA/pam_unix.so likeauth nullok
auth        required      /lib/security/$ISA/pam_deny.so
 
account     required      /lib/security/$ISA/pam_unix.so
 
password    required      /lib/security/$ISA/pam_cracklib.so retry=3 type=
password    sufficient    /lib/security/$ISA/pam_unix.so nullok use_authtok md5 shadow
password    required      /lib/security/$ISA/pam_deny.so
 
session     required      /lib/security/$ISA/pam_limits.so
session     required      /lib/security/$ISA/pam_unix.so
[root]#

unSpawn · 05-06-2006, 04:54 AM

What do your system logs (see /etc/syslog.conf) say? Your PAM file pam_cracklib.so line args read "retry=3 type=". Check what type should be set to as I can't imagine it can be empy like that. If that's not it then try to change a password running passwd through strace (haven't got a dev box right now to check) like "strace -v -o /tmp/passwd.strace passwd <someuser>". Look for clues ( egrep "(\-.1|ENO.*)$" /tmp/passwd.strace ). If that shows no clues then *reboot* and on boot drop to runlevel 1 and perform a system audit. If you post errors or loglines please be verbose and post *exact* ones.

jovie · 05-08-2006, 06:18 AM

Quote:

Originally Posted by unSpawn

What do your system logs (see /etc/syslog.conf) say?

Nothing in the logs relating to this error

Quote:

Originally Posted by unSpawn

Your PAM file pam_cracklib.so line args read "retry=3 type=".

This line on another system (that's working) read "retry=3" so I deleted the "type=" but it made no difference.

Quote:

Originally Posted by unSpawn

"strace -v -o /tmp/passwd.strace passwd <someuser>". Look for clues ( egrep "(\-.1|ENO.*)$" /tmp/passwd.strace ).

The egrep returned ...

Code:

access("/etc/suid-debug", F_OK)         = -1 ENOENT (No such file or directory)
open("/etc/ld.so.preload", O_RDONLY)    = -1 ENOENT (No such file or directory)
connect(3, {sa_family=AF_UNIX, path="/var/run/.nscd_socket"}, 110) = -1 ENOENT (No such file or directory)

which is the same as the working system but if I look through the file it ends like this (with the first 2 lines repeated many times)

Code:

open("/etc/.pwd.lock", O_WRONLY|O_CREAT, 0600) = -1 EACCES (Permission denied)
nanosleep({0, 1000000}, NULL)           = 0
open("/etc/.pwd.lock", O_WRONLY|O_CREAT, 0600) = -1 EACCES (Permission denied)
select(0, NULL, NULL, NULL, {2, 739930}) = 0 (Timeout)
write(2, "passwd: Authentication token man"..., 48) = 48
munmap(0x4001e000, 14572)               = 0
munmap(0x40134000, 97172)               = 0
munmap(0x40161000, 85184)               = 0
munmap(0x40022000, 32352)               = 0
munmap(0x40176000, 40128)               = 0
munmap(0x4014c000, 15304)               = 0
munmap(0x40018000, 14112)               = 0
munmap(0x4001c000, 6432)                = 0
munmap(0x40016000, 4096)                = 0
exit_group(1)                           = ?

I can change the permissions on /etc/.pwd.lock to 660 and I get

Code:

open("/etc/shadow", O_RDONLY)           = -1 EACCES (Permission denied)

then "chmod 440 /etc/shadow" and I can change passwords as root but not as a user because I'm left with...

Code:

rename("/etc/nshadow", "/etc/shadow")   = -1 EACCES (Permission denied)

BUT I'm not suposed to be changing thses file permissions. Somehow the passwd command should be run by users but allow changes in root only files and it isn't working?

Quote:

Originally Posted by unSpawn

If that shows no clues then *reboot* and on boot drop to runlevel 1 and perform a system audit. If you post errors or loglines please be verbose and post *exact* ones.

Can you explain that? I can go to runlevel 1 ("/sbin/init 1") but don't know what to do when I get there.

Thanks

jovie · 05-10-2006, 01:46 AM

The answer to my error ...

NOTE it's the executable file not the text file, (mine are in /usr/bin/passwd and /etc/passwd)

Quote:

Originally Posted by RHELL

What are the permissions for passwd?

Thank you very much!

-r-s--x--x 1 ann ann 16336 Feb 13 2003 /usr/bin/passwd

So I changed the owner and group back to root and we're all go