Gentoo Forums
Gentoo Forums
Gentoo Forums
Quick Search: in
passwd: Authentication token manipulation error [SOLVED!]
View unanswered posts
View posts from last 24 hours

 
Reply to topic    Gentoo Forums Forum Index Duplicate Threads
View previous topic :: View next topic  
Author Message
gcrew
Tux's lil' helper
Tux's lil' helper


Joined: 22 Feb 2005
Posts: 82
Location: Poughkeepsie, NY

PostPosted: Wed Feb 23, 2005 8:53 pm    Post subject: passwd: Authentication token manipulation error [SOLVED!] Reply with quote

I haven't seen any postings with this error for the last three years (in English) so I figured I'd bring it up.

Code:

me@mymachine me $ passwd
passwd: Authentication token manipulation error
me@mymachine me $ smbpasswd
Old SMB password:
New SMB password:
Retype new SMB password:
Password changed for user me


I saw this exact code snippet in a Russian posting, but alas I haven't learned Russian yet so I gained nothing.

My guess is that there is some sort of conflict between smb and regular passwords. Anyone have any suggestions?

Geoff


Last edited by gcrew on Fri Feb 25, 2005 7:22 pm; edited 1 time in total
Back to top
View user's profile Send private message
adaptr
Watchman
Watchman


Joined: 06 Oct 2002
Posts: 6730
Location: Rotterdam, Netherlands

PostPosted: Wed Feb 23, 2005 9:37 pm    Post subject: Reply with quote

There is no relation between samba passwords and the system password database.
Changing one does not affect the other; showing that you can still change a samba password when passwd itself fails proves nothing: if passwd fails then it fails ;-)

If you get this error then the most likely cause is that the user you are trying to change the password for is missing or wrongly entered in the shadow file.

Compare /etc/passwd and /etc/shadow to check:

Code:
grep me /etc/passwd
grep me /etc/shadow

_________________
>>> emerge (3 of 7) mcse/70-293 to /
Essential tools: gentoolkit eix profuse screen
Back to top
View user's profile Send private message
gcrew
Tux's lil' helper
Tux's lil' helper


Joined: 22 Feb 2005
Posts: 82
Location: Poughkeepsie, NY

PostPosted: Wed Feb 23, 2005 9:56 pm    Post subject: Reply with quote

The user is in both /etc/passwd and /etc/shadow.

Does the access to /etc/shadow matter? Currently mine is set to 600. I also tried 644, but that didn't fix it.

I swear you can change your samba password to be the same as your regular password. I could be wrong.

By the way, I also get some errors to my system log about PAM:
Code:

Feb 23 16:53:01 host su[20605]: PAM pam_putenv: delete non-existent entry; REMOTEHOST
Feb 23 16:53:01 host PAM-env[20605]: Unknown PAM_ITEM: <DISPLAY>
Feb 23 16:53:01 host su[20605]: PAM pam_putenv: delete non-existent entry; DISPLAY
Feb 23 16:53:01 host PAM-env[20605]: Unknown PAM_ITEM: <XAUTHORITY>
Feb 23 16:53:01 host su[20605]: PAM pam_putenv: delete non-existent entry; XAUTHORITY

I'd love to know what those are.

Geoff
Back to top
View user's profile Send private message
adaptr
Watchman
Watchman


Joined: 06 Oct 2002
Posts: 6730
Location: Rotterdam, Netherlands

PostPosted: Wed Feb 23, 2005 10:30 pm    Post subject: Reply with quote

The PAM stuff is related to remote X access; nothing to worry about, they're just some defaults, everybody gets them.

Perhaps I was not sufficiently clear earlier: for one, the entry in /etc/passwd must contain only a lower-case 'x' in the password field; nothing more, nothing less.
The shadow file has either the MD5 hash of the password or an exclamation mark (when the password is not set).

If you edit these by hand you must make sure the information makes sense to passwd.

I'm sure you can set your smb password to your unix password, but that does not explain why the unix password would malfunction - as I said, they are not related.
_________________
>>> emerge (3 of 7) mcse/70-293 to /
Essential tools: gentoolkit eix profuse screen
Back to top
View user's profile Send private message
gcrew
Tux's lil' helper
Tux's lil' helper


Joined: 22 Feb 2005
Posts: 82
Location: Poughkeepsie, NY

PostPosted: Wed Feb 23, 2005 11:07 pm    Post subject: Reply with quote

/etc/passwd:
Code:

me:x:1000:100::/home/me:/bin/bash

/etc/shadow:
Code:

me:$asd;flkjal;fj;lfalsf.:12826:0:99999:7:::


I replaced my hash with garbage.

Geoff
Back to top
View user's profile Send private message
adaptr
Watchman
Watchman


Joined: 06 Oct 2002
Posts: 6730
Location: Rotterdam, Netherlands

PostPosted: Thu Feb 24, 2005 7:58 pm    Post subject: Reply with quote

Did you recently upgrade PAM ?
If you could post some of the relevant bits of the PAM config (login, system auth) that might be helpful.
_________________
>>> emerge (3 of 7) mcse/70-293 to /
Essential tools: gentoolkit eix profuse screen
Back to top
View user's profile Send private message
gcrew
Tux's lil' helper
Tux's lil' helper


Joined: 22 Feb 2005
Posts: 82
Location: Poughkeepsie, NY

PostPosted: Fri Feb 25, 2005 1:32 am    Post subject: Reply with quote

My system was a brand new install from scratch a week or two ago.

/etc/pam.d/system-auth
Code:

#%PAM-1.0

auth       required     /lib/security/pam_env.so
auth       sufficient   /lib/security/pam_unix.so likeauth nullok
auth       required     /lib/security/pam_deny.so

account    required     /lib/security/pam_unix.so

password   required     /lib/security/pam_cracklib.so retry=3
password   sufficient   /lib/security/pam_unix.so nullok md5 shadow use_authtok
password   required     /lib/security/pam_deny.so

session    required     /lib/security/pam_limits.so
session    required     /lib/security/pam_unix.so

# If you want to enable pam_console, uncomment the following line
# and read carefully README.pam_console in /usr/share/doc/pam*
#session    optional    /lib/security/pam_console.so


/etc/pam.d/login
Code:

#%PAM-1.0

auth       required     /lib/security/pam_securetty.so
auth       required     /lib/security/pam_stack.so service=system-auth
auth       required     /lib/security/pam_nologin.so

account    required     /lib/security/pam_stack.so service=system-auth

password   required     /lib/security/pam_stack.so service=system-auth

session    required     /lib/security/pam_stack.so service=system-auth
session    optional     /lib/security/pam_console.so


/etc/passwd
Code:

#%PAM-1.0

auth       required     /lib/security/pam_stack.so service=system-auth

account    required     /lib/security/pam_stack.so service=system-auth

password   required     /lib/security/pam_stack.so service=system-auth


I actually was thinking the pam configuration may have something to do with my problem before you mentioned it, but I have no clue how to read this stuff.

I tried changing all the required control-flags to optional in passwd and then I got the following:
Code:

passwd: Permission denied


This seems promising. The permissions for /bin/passwd are 711. I tried 755, but that didn't change the above message so I switched it back.

Thanks again for your help.

Geoff
Back to top
View user's profile Send private message
bone
Apprentice
Apprentice


Joined: 07 Jun 2002
Posts: 255
Location: Midwest, USA

PostPosted: Fri Feb 25, 2005 2:11 am    Post subject: Reply with quote

gcrew wrote:

I actually was thinking the pam configuration may have something to do with my problem before you mentioned it, but I have no clue how to read this stuff.

I tried changing all the required control-flags to optional in passwd and then I got the following:
Code:

passwd: Permission denied


This seems promising. The permissions for /bin/passwd are 711. I tried 755, but that didn't change the above message so I switched it back.

Thanks again for your help.
Geoff


First of all, change all of the required control-flags back to what they were in your /etc/pam.d/passwd.
Second, give us an ls -alr on /bin/passwd as your not showing us all of what we need to know.


jt
Back to top
View user's profile Send private message
gcrew
Tux's lil' helper
Tux's lil' helper


Joined: 22 Feb 2005
Posts: 82
Location: Poughkeepsie, NY

PostPosted: Fri Feb 25, 2005 2:31 am    Post subject: Reply with quote

I only changed /etc/pam.d/passwd temporarily. I put it back how it was, which is what I show above.

/bin/passwd is also exactly as it was installed. Here's the ls -al
Code:

-rwx--x--x  1 root root 33784 Feb 12 01:21 /bin/passwd


Geoff
Back to top
View user's profile Send private message
bone
Apprentice
Apprentice


Joined: 07 Jun 2002
Posts: 255
Location: Midwest, USA

PostPosted: Fri Feb 25, 2005 2:49 am    Post subject: Reply with quote

gcrew wrote:
I only changed /etc/pam.d/passwd temporarily. I put it back how it was, which is what I show above.

/bin/passwd is also exactly as it was installed. Here's the ls -al
Code:

-rwx--x--x  1 root root 33784 Feb 12 01:21 /bin/passwd


Geoff


And there lies your problem most likely. I bet you can change your password if your root. And to go a step further, I suggest that when you attempt to secure a box by removing all setuid bits that you know what you are doing first. /bin/passwd and /bin/login need their setuid bits on to work properly. chmod u+s /bin/passwd and it should again work.

jt
Back to top
View user's profile Send private message
bone
Apprentice
Apprentice


Joined: 07 Jun 2002
Posts: 255
Location: Midwest, USA

PostPosted: Fri Feb 25, 2005 2:55 am    Post subject: Reply with quote

I might even go as far as to say that since you were mucking around with your /etc/pam.d files, that you go ahead and do an emerge baselayout again, and update all the files back to their original settings.


jt
Back to top
View user's profile Send private message
gcrew
Tux's lil' helper
Tux's lil' helper


Joined: 22 Feb 2005
Posts: 82
Location: Poughkeepsie, NY

PostPosted: Fri Feb 25, 2005 7:21 pm    Post subject: Reply with quote

Finally, it works. I'll go through the steps on how I got it working.

First I tried setting the sticky bit on /bin/passwd.

This didn't change anything so I changed it back.

I looked at the code for PAM and figured out that only passwords can return a PAM_AUTHTOK_ERR, and when they do, it gives the message I was seeing.

This made it very clear that there was a problem in my PAM configuration.

I tried copying my system-auth file to passwd.

I removed the account and session sections because I knew the password section is what was causing the problem.

Next I commented out the final required pam_deny section.

This allowed me to run passwd. It ran and prompted for a new password twice. After that it said my password was changed.

My password had not changed. This reminded me of the problem I had with su when I installed. When I installed su, I typed the correct root password, but I couldn't get access. I fixed this by adding the s bit to su.

I now tried adding the s bit back to passwd. Now it prompted me for my old password then twice for a new password. When done, it said my password had changed. This time, it had changed.

Not being satisfied with just getting it working, I wanted to figure out why it wasn't working in the first place.

I put back the pam_deny section, and that didn't break it. I also put back the session, and account sections from system-auth and that didn't break it. Finally, I restored the original passwd file and it still wasn't broken.

I don't know what the problem was. I do know something was wrong with PAM because that's what my error came from. I also know I needed an s bit on /bin/passwd because otherwise it doesn't function correctly. I hope this helps if anyone else has this problem.

Finally,

bone wrote:
I might even go as far as to say that since you were mucking around with your /etc/pam.d files, that you go ahead and do an emerge baselayout again, and update all the files back to their original settings.


jt


This post and your previous post seem to assume that I am "mucking" around with stuff I don't understand. I find this to be rather accusatory, and honestly, rather offensive. Switching permissions on files and temporarily changing ascii files will rarely cause irreparable problems. Since this is completely software based (as opposed to hardware configuration), I would go so far as to say it could not possibly cause irreparable harm.

All files except the s bit on passwd are EXACTLY as they were installed on my machine by portage starting with stage1.

I was getting a PAM error while running a PAM function. baselayout has nothing to do with this, and to me seems rather extreme of a solution.

Perhaps I am reading to much into your tone, and I'm completely off base but I would just like to ask that you try to be patient and positive if you are going to try to help people. Also remember that just because it says n00b in the upper corner that doesn't mean I haven't been using Linux actively for almost five years.

With that being said I do want to extend my grateful thanks for your help.

Geoff
Back to top
View user's profile Send private message
bone
Apprentice
Apprentice


Joined: 07 Jun 2002
Posts: 255
Location: Midwest, USA

PostPosted: Fri Feb 25, 2005 8:52 pm    Post subject: Reply with quote

gcrew wrote:

bone wrote:
I might even go as far as to say that since you were mucking around with your /etc/pam.d files, that you go ahead and do an emerge baselayout again, and update all the files back to their original settings.

jt


This post and your previous post seem to assume that I am "mucking" around with stuff I don't understand. I find this to be rather accusatory, and honestly, rather offensive. Switching permissions on files and temporarily changing ascii files will rarely cause irreparable problems. Since this is completely software based (as opposed to hardware configuration), I would go so far as to say it could not possibly cause irreparable harm.

All files except the s bit on passwd are EXACTLY as they were installed on my machine by portage starting with stage1.

I was getting a PAM error while running a PAM function. baselayout has nothing to do with this, and to me seems rather extreme of a solution.

Perhaps I am reading to much into your tone, and I'm completely off base but I would just like to ask that you try to be patient and positive if you are going to try to help people. Also remember that just because it says n00b in the upper corner that doesn't mean I haven't been using Linux actively for almost five years.

With that being said I do want to extend my grateful thanks for your help.

Geoff


I didnt mean to come off offensive to you, and actually rereading your post, I do see a mistake that I made and that you picked up on. I actually did not mean to reemerge baselayout, but instead pam. By mucking I meant that you had stated that you had changed around a few of the requires to optionals in the pam.d files. I myself had did this before, and if not done with caution, people (in all the experiences I have had) tend to change things a few times and forget what the original state of the files was. This is why I suggested reemerging pam, so that everything would be back as normal. Again I did come off arrogant in stating that whomever attempted to secure the box went alittle bit overboard, but I have seen many servers broke because of this same type of situation. In the days before ssh, when telnet and rsh were the defacto standard, I had seen many servers disabled by removing the setuid bit from /bin/login.

Entirely glad that you finally got everything working though. Have a good one.


jt
Back to top
View user's profile Send private message
ReD-BaRoN
Apprentice
Apprentice


Joined: 06 Feb 2004
Posts: 208

PostPosted: Tue Mar 01, 2005 3:48 pm    Post subject: Reply with quote

gcrew,

Thanks for posting this, as it helped me fix my problem. The setuid bit was on my passwd already, but copying system-auth over and commenting out the deny line seemed to do the trick for me.

Too bad this doesn't work out of the box, since I never played with any of this stuff either. Maybe it's samba, since that's the only other think that I run that messes with PAM. Do you run samba?
Back to top
View user's profile Send private message
gcrew
Tux's lil' helper
Tux's lil' helper


Joined: 22 Feb 2005
Posts: 82
Location: Poughkeepsie, NY

PostPosted: Wed Mar 02, 2005 6:40 pm    Post subject: Reply with quote

Glad to be of help. It makes life feel a little more worthwhile when others can learn from my stupidity.

I do have samba. I think I installed samba before using passwd. Perhaps there is some sort of race-like problem? I also was playing with unix password sync and having problems.

https://forums.gentoo.org/viewtopic.php?p=2138897

Did you try doing as I did and retracing your pam settings back to the beginning to see where the problem was? I ended up uncommenting the pam_deny and finally resoring the old passwd file without having any more problems.

Geoff
Back to top
View user's profile Send private message
ReD-BaRoN
Apprentice
Apprentice


Joined: 06 Feb 2004
Posts: 208

PostPosted: Wed Mar 02, 2005 8:14 pm    Post subject: Reply with quote

I'm going to try and set the stuff back and see what happens later tonight. I didn't at the time because I had to get a user up and running pretty quickly.

Given that everyone doesn't have this problem indicates to me that something we added (like samba) in our systems had to cause this. I'd think that samba is common enough, however, for this is be a more common problem for people, so maybe it's not samba, I don't know. I too installed samba before using passwd (as a user at least, passwd always worked at root).

As an aside, I see you're from Po-town. I was born and raised in Newburgh. Small world I guess :).
Back to top
View user's profile Send private message
Maedhros
Bodhisattva
Bodhisattva


Joined: 14 Apr 2004
Posts: 5511
Location: Durham, UK

PostPosted: Tue Aug 02, 2005 7:39 am    Post subject: Reply with quote

Moved from Networking & Security to Duplicate Threads in favour of https://forums.gentoo.org/viewtopic-t-25206.html
_________________
No-one's more important than the earthworm.
Back to top
View user's profile Send private message
Display posts from previous:   
Reply to topic    Gentoo Forums Forum Index Duplicate Threads All times are GMT
Page 1 of 1

 
Jump to:  
You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot vote in polls in this forum