2

I am currently running trusty (Ubuntu 14.04.3 LTS) with kernel version 3.13.0-65-generic.

As root I am not able to change a user's password:

 root@server:~# passwd newuser
 passwd: Authentication token manipulation error
 passwd: password unchanged

I am also not able to change the password for the root account itself:

root@server:~# passwd
passwd: Authentication token manipulation error
passwd: password unchanged

I have been searching for a while. This is not an issue with / needed to be mounted as r/w. The permissions on /etc/passwd and /etc/shadow are fine. I am able to manually change the password inside the /etc/shadow file and that works. But I need to understand why passwd is getting the error.

I think I need to dig deeper into /etc/pam.d/* but I am not sure where to start.

Any ideas would be greatly appreciated. Thanks!

UPDATED INFO:

  • There are no extraneous characters being passed on the command line.
  • This is currently the issue for all users existing and new, I tried adding a new user with adduser and got the same error from the adduser script when it was supposed to ask me for the password.
Plazgoth
  • 130
  • 8
  • `passwd ` is supposed to prompt you for the user's new password, and then repeat to verify. What you've pasted looks like you may be including extraneous characters after the username. Do you have a space after the username? Does /var/log/secure or /var/log/messages have any other clues? Does it only occur for this one user? If you create user2 does it happen for them? – Jeter-work Sep 15 '16 at 00:16
  • Thanks for the ideas. I updated the original question with some of the answers to your questions and will look at the logs you mentioned next. – Plazgoth Sep 15 '16 at 21:44
  • Maybe check your bash profile for aliases for password that are adding items? I don't know Ubuntu so I can't tell you where to look. On RHEL, it's `~/.bashrc` and `~/.bash_profile`. And if you don't have one it gives you `/etc/.bashrc` and `/etc/.bash_profile`. And don't forget, root's `~` is `/root/`, not `/user/username`. Also, try `sudo passwd username` with a user with sudoer's rights. – Jeter-work Sep 15 '16 at 21:51
  • Thanks for the suggestions. You can check for aliases with the alias command itself without searching through the startup scripts. Alias by itself gives the current user's aliases. I have also tried using using sudo to no avail. Nothing interesting in the logs you mentioned either. – Plazgoth Sep 15 '16 at 22:00
  • Check ownership and permissions on the /etc/shadow file. If someone else is the owner and the 'other' bit doesn't include 'write', that could cause this. And it goes beyond my experience on how to throubleshoot it, but if the setuid bit for passwd command is not set, or something is masking it, it would cause others to not be able to set passwd, but root still could. But root fails too. – Jeter-work Sep 15 '16 at 22:09
  • Also check this [question](http://superuser.com/questions/107386/trying-to-change-a-ubuntu-users-password-authentication-token-manipulation-err?rq=1), specifically the 2nd and 3rd answers. 3rd one mentions etc/passwd permissions, easy to check. 2nd one links a site that tells how to t-shoot PAM. Be very careful and heed his advice about backing up files before you edit them, and having another admin shiell open to do the restore if you need to. – Jeter-work Sep 15 '16 at 22:11
  • Checked permissions on /etc/shadow they look fine, like you said root is the owner. -rw-r----- 1 root shadow 1687 Sep 14 16:26 shadow – Plazgoth Sep 16 '16 at 16:26
  • The 2nd one does have a link to how to debug PAM but that link seems dead :( – Plazgoth Sep 16 '16 at 16:28
  • Let us [continue this discussion in chat](http://chat.stackexchange.com/rooms/45477/discussion-between-plazgoth-and-xalorous). – Plazgoth Sep 16 '16 at 18:25

2 Answers2

1

Ok I think I have it figured out. Digging into /etc/pam.d/* I enabled debug and audit options for most common-* files. That did not help much other than to point me toward the pam_unix module:

passwd[45463]: pam_unix(passwd:chauthtok): username [root] obtained
passwd[45463]: pam_unix(passwd:chauthtok): username [root] obtained
passwd[45463]: pam_unix(passwd:chauthtok): password - new password not obtained

I started looking more closely at each of the options in common-password given to the pam_unix.so. The options I had were: obscure use_authtok try_first_pass sha512

Reading the man page for pam_unix I saw that use_authtok was related to changing the password. And it talked about using it after pam_cracklib. In my case there is no pam_cracklib so I decided to try and remove that option. That restored the passwd command's functionality fully.

I am not sure if a script had added that option or it was a default.

Thanks for all those who tried to provide ideas.

Plazgoth
  • 130
  • 8
0

It seem the problem has to do with the encryptfs (encrypted filesystem pam module). When the user changes his password, the disk encryption passphrase has to be modified somehow. When this modification attempt fails, all the password change process fails and is rolled back. See: https://bugs.launchpad.net/ecryptfs/+bug/1486470

DrNoone
  • 1,562
  • 1
  • 10
  • 20
  • Thanks for the suggestion. In the common-* files ecryptfs was set as optional, not required, so I went ahead and commented it out. That got the WARNING to stop showing up in /var/log/auth.log. However, this did not fix the problem of the passwd command not working. At this point even logged in as root I can't run the passwd command to change the root password. – Plazgoth Sep 16 '16 at 16:19