Pam_krb5 Passwd Authentication Token Manipulation Error
Contents |
passwd: Authentication token manipulation error Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] Sorry about the weird line endings in my first email. Here is the same with the line endings fixed. I'm having an authentication token manipulation error linux issue with password resets which I'm sorry to say I haven't been able to
Passwd Authentication Token Manipulation Error Redhat
figure out by google search or searching the mailing list archives. I tried to make my sssd configuration as minimal as
Passwd: Authentication Token Manipulation Error Centos
possible following the doc on the wiki about authenticating to 2008 AD server (see [3] below) and I used the keytab method and instead of editing PAM files I ran authconfig because I'm on Red Hat.
Passwd Authentication Token Manipulation Error Redhat 6
When I switch (su - bryan.harris.adm) to my AD user and run passwd, it allows me to type both old and new passwords. Right away it says "Password change failed." Then after about 2 seconds it says "passwd: Authentication token manipulation error" on a new line. I found [1] and [2] below which seem similar to my issue. I have played a bit with my PAM options, but to no (current) unix password passwd authentication token manipulation error avail. Can anyone tell me what I'm doing wrong? I can post the huge log messages, I just didn't want the email to get too large straight away. [1] - https://bugs.launchpad.net/ubuntu/+source/libpam-krb5/+bug/826989 [2] - https://lists.fedorahosted.org/pipermail/sssd-users/2012-July/000041.html [3] - https://fedorahosted.org/sssd/wiki/Configuring%20sssd%20to%20authenticate%20with%20a%20Windows%202008%20Domain%20Server RHEL 6.4 pam-1.1.1-13 sssd-1.9.2-82 --- first off here is what I added to the my.great.domain zone in BIND --- _ldap._tcp 1D IN SRV 0 100 389 dc01 _ldap._tcp 1D IN SRV 0 100 389 dc02 _kerberos._tcp 1D IN SRV 0 100 88 dc01 _kerberos._tcp 1D IN SRV 0 100 88 dc02 _kpasswd._tcp 1D IN SRV 0 100 464 dc01 _kpasswd._tcp 1D IN SRV 0 100 464 dc02 _kerberos._udp 1D IN SRV 0 100 88 dc01 _kerberos._udp 1D IN SRV 0 100 88 dc02 _kpasswd._udp 1D IN SRV 0 100 464 dc01 _kpasswd._udp 1D IN SRV 0 100 464 dc02 The rest of the files below are on linux-server. --- /etc/pam.d/system-auth --- #%PAM-1.0 # This file is auto-generated. # User changes will be destroyed the next time authc
Importance Assigned to Milestone samba (Ubuntu) Edit Triaged Medium Unassigned Edit You need to log in to passwd authentication token manipulation error centos 7 change this bug's status. Affecting: samba (Ubuntu) Filed here by: passwd authentication token manipulation error centos 6 gmoore777 When: 2010-04-27 Confirmed: 2010-06-17 Target Distribution Baltix BOSS Juju Charms Collection Elbuntu Guadalinex Guadalinex Edu passwd: authentication token manipulation error suse Kiwi Linux nUbuntu PLD Linux Tilix tuXlab Ubuntu Ubuntu Linaro Evaluation Build Ubuntu RTM Package (Find…) Project (Find…) Status Importance Triaged Medium Assigned to Nobody https://lists.fedorahosted.org/pipermail/sssd-users/2013-May/000718.html Me Comment on this change (optional) Email me about changes to this bug report Also affects project (?) Also affects distribution/package Nominate for series Bug Description Binary package hint: samba `passwd` for ActiveDirectory account gives "Authentication token manipulation error" I have latest and greatest of LucidLynx updates. winbind 2:3.4.7~dfsg-1ubuntu3 samba 2:3.4.7~dfsg-1ubuntu3 I https://bugs.launchpad.net/bugs/570944 have ActiveDirectory integration with Samba/Winbind. (not Likewise-Open) Logging into Console window or `ssh`-ing into machine works fine using DOMAIN\first.last account names. Trying to change password with the `passwd` program: $ passwd Changing password for DOMAIN\first.last (current) NT password: passwd: Authentication token manipulation error passwd: password unchanged $ In the /var/log/auth.log file I get this output in conjunction with the above passwd attempt: pam_unix(passwd:chauthtok): user "DOMAIN\first.last" does not exist in /etc/passwd passwd[16109]: pam_winbind(passwd:chauthtok): getting password (0x0000002a) passwd[16109]: pam_winbind(passwd:chauthtok): user 'DOMAIN\first.last' granted access passwd[16109]: pam_unix(passwd:chauthtok): user "DOMAIN\first.last" does not exist in /etc/passwd passwd[16109]: pam_winbind(passwd:chauthtok): getting password (0x00000012) I don't see anything particularly wrong with that output, other than it seems to stop prematurely. This is my default-created /etc/pam.d/common-password file: password [success=2 default=ignore] pam_unix.so obscure sha512 password [success=1 default=ignore] pam_winbind.so use_authtok try_first_pass password requisite pam_deny.so password required pam_permit.so password optional pam_gnome_keyring.so I've Googled for "Authentication token manipulation error", but most cases involve local Linux
Start here for a quick overview of the site Help Center Detailed answers to any questions you http://serverfault.com/questions/571347/change-local-password-as-root-after-configuring-for-ms-ad-kerberosldap might have Meta Discuss the workings and policies of this site About Us Learn more about Stack Overflow the company Business Learn more about hiring developers or posting https://lists.samba.org/archive/samba/2010-January/153170.html ads with us Server Fault Questions Tags Users Badges Unanswered Ask Question _ Server Fault is a question and answer site for system and network administrators. Join authentication token them; it only takes a minute: Sign up Here's how it works: Anybody can ask a question Anybody can answer The best answers are voted up and rise to the top Change local password as root after configuring for MS-AD Kerberos+LDAP up vote 2 down vote favorite I have followed this excelent post to configure Kerberos authentication token manipulation + LDAP: http://koo.fi/blog/2013/01/06/ubuntu-12-04-active-directory-authentication/ However, there are some local users used for services. When I try to change the password for one of those, as root, it asks for Kerberos current password then exits: passwd service1 Current Kerberos password: (I hit enter) Current Kerberos password: (I hit enter) passwd: Authentication token manipulation error passwd: password unchanged If I switch to the local user and do paswd, it asks once for Kerberos then revers to local: $ passwd Current Kerberos password: Changing password for service1. (current) UNIX password: My configuration is similar to the site I posted above, and everything works fine, I just can't change the loca users passwords as root. Thanks in advance for any help. 3.8.0-29-generic #42~precise1-Ubuntu Update 1 2013-01-31: cat /etc/pam.d/common-auth auth [success=3 default=ignore] pam_krb5.so minimum_uid=1000 auth [success=2 default=ignore] pam_unix.so nullok_secure try_first_pass auth [success=1 default=ignore] pam_ldap.so use_first_pass auth requisite pam_deny.so auth required pam_permit.so auth optional pam_cap.so cat /etc/pam.d/common-password password [success=3 default=ignore] pam_krb5.so minimum_uid=1000 password [success=2 default=ignore] pam_unix.so obscure use_authtok try_first_pass sha512 p
[ date ] [ thread ] [ subject ] [ author ] Hi Masao, I have essentially the same setup as you (ltsp, AD, Winbind). My users are able to change their passwords with the 'passwd' command. Here's the contents of /etc/pam.d/common-password file password sufficient pam_winbind.so password required pam_unix.so nullok obscure min=4 max=8 md5 Hth, John On Wed, Jan 20, 2010 at 11:22 AM, Masao Garcia