Pam Chauthtok Error 20
Contents |
system. The developer rights are owned by Novell, Inc. Search Forums Show Threads Show Posts Tag Search Advanced pam_unix(passwd:chauthtok): user does not exist in /etc/passwd Search Unanswered Threads Find All Thanked Posts Go to Page... learn
Passwd Authentication Token Manipulation Error Centos 6
unix and linux commands PAM password change failed, pam error 20 SuSE
Authentication Token Manipulation Error Redhat
Thread Tools Search this Thread Display Modes #1 07-10-2013 scabarrus Registered User Join Date: Jul 2013 Last Activity: 11 December 2013, 5:54 PM EST Posts: http://www.linuxquestions.org/questions/linux-security-4/server-failing-to-allow-password-change-924318/ 2 Thanks: 0 Thanked 0 Times in 0 Posts PAM password change failed, pam error 20 Hi, I use a software which can create account on many system or application. One of resource which is managed by this soft his a server SUSE Linux Enterprise Server 10 (x86_64). patch level 3. This application which is an IBM application use ssh http://www.unix.com/suse/230399-pam-password-change-failed-pam-error-20-a.html to launch command to create account in context defined in it. I have some problem to manage this server and the application display an error of kind Can not set the password useradd fail. I have displaye the log /var/log/messages that you will find bottom : Quote: Jul 10 13:49:26 infra-041 sshd[8694]: Accepted keyboard-interactive/pam for itim from 10.70.10.50 port 2651 ssh2 Jul 10 13:49:26 infra-041 sudo: itim : TTY=unknown ; PWD=/ ; USER=root ; COMMAND=/usr/sbin/useradd -u 1192 FRY9AN94 Jul 10 13:49:26 infra-041 useradd[8715]: new account added - account=FRY9AN94, uid=1192, gid=100, home=/home/FRY9AN94, shell=/bin/bash, by=0 Jul 10 13:49:26 infra-041 useradd[8715]: account added to group - account=FRY9AN94, group=video, gid=33, by=0 Jul 10 13:49:26 infra-041 useradd[8715]: account added to group - account=FRY9AN94, group=dialout, gid=16, by=0 Jul 10 13:49:26 infra-041 useradd[8715]: running USERADD_CMD command - script=/usr/sbin/useradd.local, account=FRY9AN94, uid=1192, gid=100, home=/home/FRY9AN94, by=0 Jul 10 13:49:27 infra-041 sshd[8717]: Accepted keyboard-interactive/pam for itim from 10.70.10.50 port 2652 ssh2 Jul 10 13:49:27 infra-041 sudo: itim : TTY=pts/4 ; PWD=/ ; USER=root ; COMMAND=/usr/bin/passwd FRY9AN94 Jul 10 13:49:27 infra-041 passwd[8722]: pam_unix2(passwd:chauthtok): conversation failed Jul 10 13:49:27
passwd: Authentication token manipulation error Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] Sorry about the weird line endings in my first email. Here is the same with the line endings fixed. I'm having an issue with password resets which I'm sorry to say I https://lists.fedorahosted.org/pipermail/sssd-users/2013-May/000718.html haven't been able to figure out by google search or searching the mailing list archives. I https://www.redhat.com/archives/pam-list/2006-March/msg00017.html tried to make my sssd configuration as minimal as possible following the doc on the wiki about authenticating to 2008 AD server (see [3] below) and I used the keytab method and instead of editing PAM files I ran authconfig because I'm on Red Hat. When I switch (su - bryan.harris.adm) to my AD user and run passwd, it allows me to type both old authentication token and new passwords. Right away it says "Password change failed." Then after about 2 seconds it says "passwd: Authentication token manipulation error" on a new line. I found [1] and [2] below which seem similar to my issue. I have played a bit with my PAM options, but to no avail. Can anyone tell me what I'm doing wrong? I can post the huge log messages, I just didn't want the email to get too large straight away. [1] - https://bugs.launchpad.net/ubuntu/+source/libpam-krb5/+bug/826989 [2] authentication token manipulation - https://lists.fedorahosted.org/pipermail/sssd-users/2012-July/000041.html [3] - https://fedorahosted.org/sssd/wiki/Configuring%20sssd%20to%20authenticate%20with%20a%20Windows%202008%20Domain%20Server RHEL 6.4 pam-1.1.1-13 sssd-1.9.2-82 --- first off here is what I added to the my.great.domain zone in BIND --- _ldap._tcp 1D IN SRV 0 100 389 dc01 _ldap._tcp 1D IN SRV 0 100 389 dc02 _kerberos._tcp 1D IN SRV 0 100 88 dc01 _kerberos._tcp 1D IN SRV 0 100 88 dc02 _kpasswd._tcp 1D IN SRV 0 100 464 dc01 _kpasswd._tcp 1D IN SRV 0 100 464 dc02 _kerberos._udp 1D IN SRV 0 100 88 dc01 _kerberos._udp 1D IN SRV 0 100 88 dc02 _kpasswd._udp 1D IN SRV 0 100 464 dc01 _kpasswd._udp 1D IN SRV 0 100 464 dc02 The rest of the files below are on linux-server. --- /etc/pam.d/system-auth --- #%PAM-1.0 # This file is auto-generated. # User changes will be destroyed the next time authconfig is run. auth required pam_env.so auth sufficient pam_fprintd.so auth sufficient pam_unix.so try_first_pass auth requisite pam_succeed_if.so uid >= 500 quiet auth sufficient pam_sss.so use_first_pass auth sufficient pam_krb5.so use_first_pass auth required
Date: Mon, 27 Mar 2006 16:24:54 +0200 Hello, I've got the following situation: The 6000 accounts of our eMail-server are stored in /etc/passwd resp. /etc/shadow. To change their passwords, the users use a ssh-session. The only object of the ssh-session is to change a users password, therefore the loginshell is /usr/bin/passwd. To avoid attacks on the ssh-daemon, we only want a seperate web-server with a little php-web-page to open the ssh-session. I use apache/php with a php-module called php-ssh2 and a library called libssh2 to establish the ssh-session. This works fine, until it comes to the point, where the old password is sent to /usr/bin/passwd. I get the following screen in /var/log/messages: sshd[]: pam_unix2: pam_sm_authenticate() called sshd[]: pam_unix2: username=[dummy] sshd[]: pam_unix2: pam_sm_authenticate: PAM_SUCCESS sshd[]: pam_unix2: pam_sm_acct_mgmt() called sshd[]: pam_unix2: username=[dummy] sshd[]: pam_unix2: expire() returned with 0 sshd[]: Accepted password for dummy from 192.168.136.50 port 6235 ssh2 sshd[]: pam_unix2: session started for user dummy, service sshd sshd[]: pam_unix2: pam_sm_setcred() called sshd[]: pam_unix2: username=[dummy] sshd[]: pam_unix2: pam_sm_setcred: PAM_SUCCES -passwd[]: pam_unix2: pam_sm_chauthtok() called -passwd[]: pam_unix2: username=[dummy] sshd[]: pam_unix2: pam_sm_setcred() called sshd[]: pam_unix2: username=[dummy] sshd[]: pam_unix2: pam_sm_setcred: PAM_SUCCESS sshd[]: pam_unix2: session finished for user dummy, service sshd -passwd[]: pam_unix2: pam_sm_chauthtok() called -passwd[]: pam_unix2: username=[dummy] -passwd[]: User dummy: Authentication token manipulation error -passwd[]: password change failed, pam error 20 - account=dummy, uid=1000, by=1000 If I use some other tools like gnu-ssh or putty, it all works very well. Is there a difference between the two methods gnu-ssh and PHP-script, which /usr/bin/passwd recognizes, e.g. keyboard-interactive vs. tunneled-cleartext? I think of this, because I had to change some settings in /etc/ssh/sshd-config, to enable tunneled-cleartext authentication: PasswordAuthentication yes enable or disable following in sshd-config has no effect: ChallangeResponseAuthentication no UsePAM yes What does that mean: 'Authentication token manipulati