You may get an error, such as Authentication Token Manipulation Error, while trying to change passwords for a user. For example:
#passwd user
Authentication Token Manipulation Error
#
Authentication Token Manipulation Error
#
This error is being produced because you are using shadowed password files and the shadow doesn’t have entry for this user. i.e, /etc/passwd has an entry for this user, but /etc/shadow doesn’t.
In order to resolve this, you can either add the entry manually or recreate the shadow file. You can use pwconv to recreate the shadow file. See the manpage for more details on this.
Mohammedz.com 
February 6, 2008 at 3:50 pm
Here is another situation where I noticed this error. I was using PAM and the command “chage -d 0 username” to force the user “username” to change his/her password at his first log on. Actually, what I am going to mention here is *not* an error, but a mistake from my side.
When you use PAM and the above command it will ask for the present password twice. First one as usual, and second time when you are being forced for the password change. When I entered the first one correctly and the second one wrongly, I got this error.
[abdurahiman@239 ~]$ ssh test1@192.168.1.40
test1@192.168.1.40‘s password:
You are required to change your password immediately (root enforced)
WARNING: Your password has expired.
You must change your password now and login again!
Changing password for user test1.
Changing password for test1
(current) UNIX password:
passwd: Authentication token manipulation error
Connection to 192.168.1.40 closed.
[abdurahiman@239 ~]$
You won’t get this error if you enter the password carefully ;).
Regards,
Mohammed.
November 17, 2013 at 2:17 am
Any idea how to rectify the above error. I am trying to do ssh to another server. but got the same above error
December 14, 2013 at 1:43 pm
Can you be specific with the error and the steps you have followed to solve it? This page it has different solutions from multiple users which can help you to solve your problem.
March 27, 2008 at 9:49 am
hi, i am sujit,
plz check the /etc/pam.d/system-auth there
only check password lines and that line alos write main word
“remember=5” this write after md5 shadow word
then you can change the password of root or any normal user
July 28, 2009 at 11:00 pm
Thank you!!! solved my exact problem.
Pingback: Matthieu/ergosteur's new blog » Blog Archive » Freeing the PBX - SOS! Ask me!
October 21, 2011 at 10:27 pm
how to use pwconv ??
May 18, 2012 at 3:12 am
cd /etc/
pwconv
it will make /etc/shadow file
August 12, 2012 at 1:54 am
hi sorry to bother you i got a problem and stummbled on you post hoping you may be abe to help me
i bought a laptop off someone onebay (bad idea ) its running ubuntu 11.10 the problem is this
he bought it from someone that had a password to use it and guy i bought it from doesnt have password i have been going on sites and got directions to reset it i got down to enter new password entered it curser dosent move but i hit enter and then retype password ht enter and i get this passwd authentication token maniplation error passwd unchanged so did more checking which led me here to you today ( this is a big proble becouse i cant install or even change the time on the clock with out a password)
i have seen all the different things on this page now if i wanted to try any of them foexample this one cd /etc/
pwconv(just as an example ) is all this done in the drop to root shell prompt or do i have to go to a nother site unfortitly i reall dont know much about this system only heard about it when i turned this laptop on aslo is there a way i can just get rid of the password all to gether in other word laptop boots up an i am on whhich would bee so much less work any way thanks for time hope to hear from you if not sorry to have bothered you with my problem thanks ed
August 13, 2012 at 10:24 am
can you logon to the system with as any user (root or normal user)? If yes, check if the / filesystem is at 100% (you can use df command). Then check if /etc/passwd and /etc/shadow files exist. If any of them doesn’t exist, you can use pwconv or pwunconv (check manpage for more details)
If your problem is that you don’t have the ROOT password, you can logon to the system in single user mode (which doesn’t ask for root password), and then reset the root password.
If you need more help, please let me know the correct situation. I couldn’t get it from your last comment.
July 23, 2018 at 4:32 pm
Hi
i have created user in domain and some days it was ok that i was able to login by any user on the system.
But currently i am not able to login by any user on the system
June 27, 2013 at 11:33 am
Thankx worked for me!!!!!!
December 17, 2009 at 12:23 am
Works like a charm. thank you sir!!
Shane Miller
January 26, 2010 at 10:27 pm
Saved my day. Thank you.
April 7, 2010 at 12:01 am
Hi, I think my problem is different. And I’m not able to solve it as you describe.
I have followed a how-to in ubuntu karmic 9.10 to authenticate users with openldap and after this everything related with ldap+samba works great but I cannot change normal users passwords nor create new ones and set their password.
If you have a tip for this, let me know please.
Regards,
Pablo Alonso
May 4, 2010 at 7:41 pm
Sometimes work with update libpam-runtime package
Thanks for you help.
Greetings.
May 21, 2010 at 12:15 pm
Thanks – solved my problem!!
June 1, 2010 at 2:08 pm
Ok…. after searching for over an hour and trying different solutions, including what is listed in this nice blog entry… here is what worked for me.
The important thing to realize is that the error reporting mechanism is buggy: lots of different situations lead to this error message, each with their own reasons. This is why there are so many replies on the net saying “Here’s what to do…”.
The way to isolate your particular problem is the following:
1. Open a terminal window as root, and run “tail -f /var/log/auth.log”. This is absolutely critical, as PAM might give your answer right there.
2. Try to change the password, or try to login remotely using “ssh -l theuserinquestion localhost”. You should see activity in the logfile that you are watching using tail.
Now the next step is entirely situation specific: your problem may vary from mine. In my case, I found out that I had greedily downloaded a whole bunch of packages onto my machine (Ubuntu 10.04), and some of those packages related to authentication (LDAP, Kerberos, Winbind). But I only wanted Unix authentication… and there’s the problem. And watching auth.log made it clear: the system was trying to authenticate first off of LDAP and so on.
For me, the fix was to run a program called “pam-auth-update” which presents a nice single screen asking you “Hey dude, what do you want to use to authenticate?”… just choose Unix and deselect LDAP, Kerberos, and Winbind, and I was set.
Again, YOUR particular problem might be different – for example, maybe you DO want LDAP, but in your LDAP server you don’t have that user set up properly… so then YOUR solution is different. Hopefully, you get the picture now, and have a general way to solve the problem.
Mohammed, I don’t have a blog, so I just picked you since your blog was the second hit for the error message on Google, and I’m too lazy to register in the forums.
As-salaaaaaaaaaaaaaaamu alaikum.
November 15, 2011 at 10:45 am
Ahmed, THANK YOU for your excellent writeup, you saved me from a sleepless night.
February 11, 2013 at 10:32 am
AWESOME!! THe PAM-AUTH-UPDATE was the Answer!! THanks!!
June 3, 2010 at 1:25 pm
va alaikum salam…
Thanks for your detailed comment, Ahmed. Of course, it’ll help other visitors to my blog.
~mohammed
July 14, 2010 at 1:38 am
Ahmed,
thanks that helped figure out my issue, turns out I had to add the user with smbpasswd -a
sAj
Pingback: matthieu.yiptong.ca » Rooting the PBX
September 20, 2010 at 6:12 am
1. take backup of /etc/shadow
2. change the readonly /etc/shadow to write for root
chmod 700 /etc/shadow
3. Add a dummy line related to that user
4. save it and change the /etc/shadow write to read only
chmod 400 /etc/shadow
this should do that job.
October 22, 2010 at 1:45 pm
Ahmed,
Many thanks for your post.
I had the same niggle on my deverlopment system and was just ignorng it.
However as i am now deploying it i thought that i better sort it out, and after a quick google, found your post and checked the log (Why didn’t i think of that?) realised the same, my system was trying to LDAP/AD authenticate through likewise.
A quick ‘pam-auth-update’ disabling likewise and ldap fixed my problem
Many thanks!
Tim
December 14, 2010 at 7:59 pm
Cheers Ahmed,
after several days of struggling I came across your post about the “pam-auth-update” program which happened to fix the bugger in zero-point-nothing :^)
I’m happy again.
By the way, it seems, that a software called 2xclient caused all of my problems. Upon installation it altered several pam.d files and didn’t even leave the backups behind, although it injected comments into the new configs, that it had done so :^)
And that software didn’t even work for me lol.
Cheers again!
Max
December 27, 2010 at 7:20 pm
my error was:
100% /
disk full!
empty the disk, passwd works
January 3, 2011 at 3:28 am
@Ahmed
For me the fix was also “pam-auth-update” and just selected unix auth option, I disabled the pam-sss section, cause I didn’t really needed it.
I have also tried before to manually override the configuration file in /etc/pam.d/common-password but with no success.
So thanks, you just made my day ( it’s 11:58 PM ) :))
Ubuntu 10.10 32 bit edition
May 31, 2011 at 11:45 pm
This is not resolve the problem for me. I’m using Kerberos.
Pingback: Passwd: Authentication token manipulation error | chrisspenblog
September 24, 2011 at 4:30 pm
hello thank for your help.
i have a same error but i resolved with your help.
September 30, 2011 at 11:24 am
pam-auth-update worked for me
September 30, 2011 at 6:08 pm
“pam-auth-update” it’s the answer!!!!! thanks a lot!
October 4, 2011 at 4:42 pm
If you got this error;
Changing password for user
Kerberos 5 Password: passwd: Authentication token manipulation error
You are using Kerberos authentication, please use command ‘kpasswd’.
It works perfectly. Unix native ‘passwd’ command will not work here.
October 25, 2011 at 3:33 am
for me was just that someone had deleted the /etc/pam.d/passwd file, just copied it from another server and then could change the passwords of any user, for me the file looks like:
#%PAM-1.0
auth include system-auth
account include system-auth
password include system-auth
November 23, 2011 at 8:24 am
Thanks buddy
August 8, 2012 at 11:12 am
any individual have any info?
November 8, 2012 at 4:51 pm
I do not even know how I ended up here, but I thought this submit was once great. I don’t realize who you’re but definitely you’re going to a famous blogger if you happen to are not already. Cheers!
April 7, 2014 at 7:33 am
its working and Thanks making my day esay!