passwd: Authentication token manipulation error

Hi,

When a user tries to change his/her password you get the following error : passwd: Authentication token manipulation error. I am running SLES 11.2 on S390X. Any ideas how to get past this problem.

This is what the /etc/passwd file looks like (Extract that shows the user account that tries to change password)
[FONT=Arial Black]
venumadhavp:x:5400:5008:venumadhavp:/home/venumadhavp:/bin/bash[/FONT]

The /etc/shadow file (Extract that shows the user account that tries to change password)[FONT=Arial Black][/FONT]:

venumadhavp:$2y$10$Z4F7wZOsPL2g/YtKpcC2YuVa.eT2P6nPJfXxda35ZNbzi.3FQCiJC:15769:7:32:7:::

Any help will be appreciated.
Regards,
Kobus

Hi Kobus,

how are the persissions set up for

• /etc/passwd
• /etc/shadow
• /usr/bin/passwd?

Has that user been (or are other users) able to change the password? If it “worked once”, were there any changes to the installation (OS updates, changing user authentication to/from LDAP/NIS/…)?

Regards,
Jens

Hi Jens,

-rw-r–r-- 1 root root 1692 Mar 5 14:26 passwd
-rw------- 1 root root 1242 Mar 5 14:26 shadow
-rwsr-xr-x 1 root shadow 90176 Feb 1 2012 passwd*

This is a new server. We had to apply certain changes to the rights of certain files (our friends the auditors require that)

Regards,
Kobus

I have also done a chage -l. The output for that user id is as follow:

Minimum: 7
Maximum: 32
Warning: 7
Inactive: -1
Last Change: Mar 05, 2013
Password Expires: Apr 06, 2013
Password Inactive: Never
Account Expires: Never

Sorry to reply in drips and drabs. What happened was that yesterday as root I changed the user’s password. I requested that he change his password after he log on (for security reasons, I do not want to know his password) He could sighn on but could not change his password because of this error.

If I look in /var/log/messages the following error can be seen:

Mar 6 08:25:33 d0043 passwd[21002]: User venumadhavp: Authentication token manipulation error
Mar 6 08:25:33 d0043 passwd[21002]: password change failed, pam error 20 - account=venumadhavp, uid=5400, by=5400

Hi Kobus,

while these permissions look ok to me, something obviously broke.

Coming from the programming side of things, my next step would be to strace the user’s invocation of “passwd” and look for errors opening/reading files. Whether that’s a path you’d like to walk or not, I cannot say.

Alternatively, you could try to revert the permission changes you made at the request of your auditors and check which one broke “passwd”.

The error you receive could be caused by settings the PAM modules, too… any changes/restrictions you added in that area?

Regards,
Jens

Hi Jens,

Thanks for helping me to try and find the problem. I missed something very obvious. Luckily SUSE tech support pointed it out to me (I opened an SR and they were very quick to respond). I unlocked and changed the user id as root. I then asked the user to sign on and change his password. That gave the token manipulation error. What I missed, if you look at the chage -l output is the Minimum: 7. What this means is that the user may not change his password within 7 days. I just set it to 0 and the user was able to change his password. Thanks again for looking into this problem. Sometimes the error messages can be a bit confusing.

Regards,
Kobus

Hi Kobus,

thanks a lot for reporting back the root cause, this will be helpful both for me and for others.

Up to your feedback I had thought that the minimum lifetime applied to user-initiated changes only - there’s something new to learn every day…

Regards,
Jens