Getting an "Authentication token manipulation" error when trying to change my user password

Do these two things just to make sure:

mount -o remount,rw /

This first part remounts the root partition as read/write since it was only in read mode. It actually dismounts the root partition and then mounts it again as read/write.

Then do this:

chmod 640 /etc/shadow

Then do the sudo passwd USER. It should work after that. This part gives the correct permissions to the shadow file.

If you insert the wrong passwd

$ passwd
Changing password for rinzwind.
(current) UNIX password: 
passwd: Authentication token manipulation error
passwd: password unchanged

you get this error. If you are sure that you inserted the correct one, this error might also show up if you are using shadowed password files and the shadow doesn’t have an entry for this user (basically/etc/passwd has an entry for this user, but /etc/shadow does not).

In order to fix this, you can either add the entry manually (make a backup first!!!) or recreate the shadow file with pwconv (Manpage).

pam-auth-update

fixed my messed /etc/pam.d/common-password

I'm not sure how it happened. A sudo user created my account then deleted it then created it again.

Here is what I found

mount -o remount,rw /
passwd
passwd: Authentication token manipulation error

No change.

sudo pwck

Showed no errors.

sudo grpck

Showed no errors.

ls -l /etc/passwd /etc/group /etc/shadow /etc/shadow-
-rw-r--r-- 1 root root    767 May  7 16:45 /etc/group
-rw-r--r-- 1 root root   1380 May  7 16:45 /etc/passwd
-rw-r----- 1 root shadow 1025 May  8 09:11 /etc/shadow
-rw------- 1 root root   1025 May  7 16:46 /etc/shadow-

Looks normal.

sudo cat /etc/shadow |grep oracle
oracle:$6$FsPqyplr$DrIvjFDSx0ipHmECMw1AU5hTrbNMnnkGRdFlaQcM.p3Rdu2OLjY20tzUTW61HlFH16cal56rKlLuW4j2mK9D.:15833:0:99999:7:::

Showed user and encrypted password.

sudo cat /etc/shadow- |grep oracle

Showed nothing. Not sure what that means but doesn't look right.

sudo passwd -d oracle
passwd

So the solution was to delete the password then reset new password.

Hope this helps.

Another problem might be that the disk is full. I got this error when resetting a password, and later checked my disks with df and found that no space is available on my disk. After freeing some I could reset the password without problems.

This issue occurred due to the incorrect permissions set to /usr/bin/passwd.

Please try to set the permission as 4511 by using the command:

chmod 4511 /usr/bin/passwd

This will resolve the issue.

If you are using SELinux, running this command fixed the issue for me.

restorecon -v /etc/shadow

Thanks to this conversation for the solution.

Check if you have messed up the common-password file in /etc/pam.d/. This will cause errors if your present password does not match the one that common-password wants. In my case this was the reason why I was getting that authentication token error.

Also, ensure that your entry in /etc/passwd is not mal-formed. If you have the incorrect number of colons in the line for your user entry, the 'passwd' command cannot parse it and refuses to continue with the exact error message provided.

The error says that the PAM module (see: man pam_chauthtok) was unable to obtain the new authentication token. This may happen on Ubuntu when the user doesn't have default password set yet and passwd is still requesting it, so the workaround is to change the password using root privileges, e.g.

sudo passwd $USER

so you won't be asked for the current password and the error won't happen.

See also: Authentication token manipulation error