2

I am currently running trusty (Ubuntu 14.04.3 LTS) with kernel version 3.13.0-65-generic.

As root I am not able to change a user's password:

 root@server:~# passwd newuser
 passwd: Authentication token manipulation error
 passwd: password unchanged

I am also not able to change the password for the root account itself:

root@server:~# passwd
passwd: Authentication token manipulation error
passwd: password unchanged

I have been searching for a while. This is not an issue with / needed to be mounted as r/w. The permissions on /etc/passwd and /etc/shadow are fine. I am able to manually change the password inside the /etc/shadow file and that works. But I need to understand why passwd is getting the error.

I think I need to dig deeper into /etc/pam.d/* but I am not sure where to start.

Any ideas would be greatly appreciated. Thanks!

UPDATED INFO:

  • There are no extraneous characters being passed on the command line.
  • This is currently the issue for all users existing and new, I tried adding a new user with adduser and got the same error from the adduser script when it was supposed to ask me for the password.
Plazgoth
  • 130

2 Answers2

1

Ok I think I have it figured out. Digging into /etc/pam.d/* I enabled debug and audit options for most common-* files. That did not help much other than to point me toward the pam_unix module:

passwd[45463]: pam_unix(passwd:chauthtok): username [root] obtained
passwd[45463]: pam_unix(passwd:chauthtok): username [root] obtained
passwd[45463]: pam_unix(passwd:chauthtok): password - new password not obtained

I started looking more closely at each of the options in common-password given to the pam_unix.so. The options I had were: obscure use_authtok try_first_pass sha512

Reading the man page for pam_unix I saw that use_authtok was related to changing the password. And it talked about using it after pam_cracklib. In my case there is no pam_cracklib so I decided to try and remove that option. That restored the passwd command's functionality fully.

I am not sure if a script had added that option or it was a default.

Thanks for all those who tried to provide ideas.

Plazgoth
  • 130
0

It seem the problem has to do with the encryptfs (encrypted filesystem pam module). When the user changes his password, the disk encryption passphrase has to be modified somehow. When this modification attempt fails, all the password change process fails and is rolled back. See: https://bugs.launchpad.net/ecryptfs/+bug/1486470

DrNoone
  • 1,662